[Snort-sigs] Rule order question

David Calder dbcalder at ...12...
Wed Dec 3 03:05:21 EST 2003


I've got a scenario which I haven't yet been able to find a working snort 
setup for so I'm hoping someone on the list can come up with a solution.

I have a dmz which  I need to monitor very closely with my snort sensor 
(lets say its 192.168.0.0/24) .  My snort sensor is only logging to syslog 
and I do not want to use a database.  I know the exact connectivity profile 
of the hosts on this dmz (say there are three hosts .2, .3 and .4, and the 
gateway .1) and I want to alert on any malicious connection attempts by 
these hosts AND ANY connection attempts by these hosts that do not fit my 
connectivity profile.

To complete the picture lets say that the connectivity profile is as 
follows:

.2 is allowed to connect to .3 and .4 on http only
.3 is allowed to connect to .2 on http only

An obvious way of doing this would be to define rules with a pass action for 
the connectivity which is allowed and an audit type rule to catch all other 
type of connections.  However this would mean that none of the rules which 
identify malicious activity would be triggered for connections that match 
the connectivity profile.  So a malicious connection from .2 to .3 on http 
would be missed.  So I have had to discount this solution.

Another way would be to define my audit alert rules so that they do not 
trigger on connections that match the connectivity profile using groups in 
the audit alert rules for example
alert tcp !$httpsrcs any -> !$httpdsts 80 (msg:"HTTP AUDIT RULE";)
alert tcp 192.168.0.0/24 -> any !80 (msg:"ALL BUT HTTP AUDIT RULE";)

but this does not maintain granularity and isn't scalable, the example I 
have given above will not alert if .3 connects to .4 and will match http 
traffic originating from outside the subnet which I dont want to trigger on.

Has anyone else done this or know how to do it.  I want to do this using 
snort not after snort has processed it.

TIA,

dbcalder

_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today! 
http://www.msn.co.uk/messenger





More information about the Snort-sigs mailing list