[Snort-sigs] Rule order question
dbcalder at ...12...
Wed Dec 3 03:05:21 EST 2003
I've got a scenario which I haven't yet been able to find a working snort
setup for so I'm hoping someone on the list can come up with a solution.
I have a dmz which I need to monitor very closely with my snort sensor
(lets say its 192.168.0.0/24) . My snort sensor is only logging to syslog
and I do not want to use a database. I know the exact connectivity profile
of the hosts on this dmz (say there are three hosts .2, .3 and .4, and the
gateway .1) and I want to alert on any malicious connection attempts by
these hosts AND ANY connection attempts by these hosts that do not fit my
To complete the picture lets say that the connectivity profile is as
.2 is allowed to connect to .3 and .4 on http only
.3 is allowed to connect to .2 on http only
An obvious way of doing this would be to define rules with a pass action for
the connectivity which is allowed and an audit type rule to catch all other
type of connections. However this would mean that none of the rules which
identify malicious activity would be triggered for connections that match
the connectivity profile. So a malicious connection from .2 to .3 on http
would be missed. So I have had to discount this solution.
Another way would be to define my audit alert rules so that they do not
trigger on connections that match the connectivity profile using groups in
the audit alert rules for example
alert tcp !$httpsrcs any -> !$httpdsts 80 (msg:"HTTP AUDIT RULE";)
alert tcp 192.168.0.0/24 -> any !80 (msg:"ALL BUT HTTP AUDIT RULE";)
but this does not maintain granularity and isn't scalable, the example I
have given above will not alert if .3 connects to .4 and will match http
traffic originating from outside the subnet which I dont want to trigger on.
Has anyone else done this or know how to do it. I want to do this using
snort not after snort has processed it.
It's fast, it's easy and it's free. Get MSN Messenger today!
More information about the Snort-sigs