[Snort-sigs] problem writing rules for checking traffic and content

mad.eye at ...433... mad.eye at ...433...
Tue Aug 19 05:13:08 EDT 2003


The solution for your task is writing pass rules:

Change the order to pass-log-alert and then define your policy using pass
rules.

First your pass rules will be checked, then the alert rules.
As long as the sniffed packets match to one of your pass-rules snort will
stay silent.

If none of the pass rules match, snort will continue with the alert rules.
If one of the alert rules matches, snort will issue an alert according to
that rule.

If none of the pass-rules and none of the alert-rules matched snort will
trigger on your last rule in your ruleset:

alert any any

Thus snort will trigger on all traffic that is not explicitely allowed in
your pass-rules.

But beware: One errant pass rule can mess up everything, will say: you might
be blind on some illegit traffic if your rules are incorrect. So be
careful...

HTH,
Detmar


Message: 6
From: Eric Baur <Eric.Baur at ...1794...>
To: snort-sigs at lists.sourceforge.net
Cc: "'studentmm08.pool-id at ...1755...'"
     <studentmm08.pool-id at ...1755...>
Subject: RE: [Snort-sigs] problem writing rules for checking traffic and c
    ontent
Date: Mon, 18 Aug 2003 13:58:41 -0700


    My solution has been to manage two (or more) rulesets and run
multiple copies of snort.  For example, I would have one listening for
attacks on eth0 and one listening for unauthorized access on eth0:0.  You
can even have them log to the same database so the data shows in the same
logs.  (You can then look at the summary statistics for the sensors to see
how many of each type you're logging.)
    This would be difficult if you had to maintain quite a few of
them... I basically have three.  One for attacks, one for SQL traffic and
one for "testing" (that I put rules in temporarily to do things like what
you're talking about).

Eric

-----Original Message-----
From: studentmm08.pool-id at ...1755...
[mailto:studentmm08.pool-id at ...1755...] 
Sent: Monday, August 18, 2003 5:38 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] problem writing rules for checking traffic and content


i have a little problem with the rule detection in snort. 
i know that snort uses a fast exit strategy. once matched, the packet
isn't checked against another rule by snort.

my scenario is a very big company net with lots of subnets.
(45 server, 200 clients, lots of develompent nets)

my task is to check source and destination of all traffic,
and on the other site the content of all traffic.

-- 
COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test
--------------------------------------------------
1. GMX TopMail - Platz 1 und Testsieger!
2. GMX ProMail - Platz 2 und Preis-Qualitätssieger!
3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post





More information about the Snort-sigs mailing list