AW: [Snort-sigs] Rule order question

Sean Wheeler s.wheeler at ...944...
Wed Dec 3 05:27:00 EST 2003


Hi,

This is how I approached the problem

----  Rules ---

------Catch ALL : Rule simply catches all traffic

erroneous_traffic ip $ANY_Servers $any <> $ANY_Servers $any
(msg:"erroneous_traffic";classtype:policy-violation;sid:1001954;)


-----Ignore Specific : Rule Simple Ignores it's specific traffic

authorised_traffic tcp $ANY_Servers $any <> $Web_servers 80 (msg:"Auto
Created Rule";classtype:not-suspicious;sid:0;)
authorised_traffic udp $ANY_Servers $any <> $DNS_servers 53 (msg:"Auto
Created Rule";classtype:not-suspicious;sid:0;)


--------Snort.conf----------

ruletype authorised_traffic
{
	type pass
	output log_null
}

ruletype erroneous_traffic
{
type alert
output database: alert, mysql, sensor_name=xxxxxxxx user=xxxxxx
password=xxxxxxxx dbname=snort host=xxxxxxxx
}

config order: alert authorised_traffic erroneous_traffic


---------Process description---------

Directive config order :

1)processes all Signature based rules first (alert)
2)then processes authorised_traffic (does nothing but pass over see ruletype
authorised_traffic)
3) then processes erroneous_traffic and creates an alert if triggered see
ruletype erroneous_traffic)

Result

All alert rules get processed first as per normal
If the traffic is rule_type erroneous_traffic it is logged to db in this
case


------------------
Your Case Example
------------------
(SIG based rules)
...
 alert tcp $Untrusted_Networks $any -> $Web_Servers $www_http
(msg:"WEB-ATTACKS /etc/shadow access"; flow:to_server,established;
content:"/etc/shadow";nocase; sid:1372; classtype:web-application-activity;
rev:4;)
 alert tcp $Untrusted_Networks $any -> $Web_Servers $www_http
(msg:"WEB-ATTACKS conf/httpd.conf attempt"; flow:to_server,established;
content:"conf/httpd.conf";nocase; classtype:web-application-activity;
sid:1373;  rev:5;)
 alert tcp $Untrusted_Networks $any -> $Web_Servers $www_http
(msg:"WEB-ATTACKS .htgroup access"; flow:to_server,established;
uricontent:".htgroup"; nocase; sid:1374; classtype:web-application-activity;
rev:4;)

(Catch ALL rules)
....
erroneous_traffic ip $ANY_Servers $any <> $ANY_Servers $any
(msg:"erroneous_traffic";classtype:policy-violation;sid:1001954;)

(Ignore Specific rules)
....
authorised_traffic tcp 192.168.0.2 !80 <> 192.168.0.3 80 (msg:"Auto Created
Rule";classtype:not-suspicious;sid:0;)
authorised_traffic tcp 192.168.0.2 !80 <> 192.168.0.4 80 (msg:"Auto Created
Rule";classtype:not-suspicious;sid:0;)
authorised_traffic tcp 192.168.0.3 !80 <> 192.168.0.2 80 (msg:"Auto Created
Rule";classtype:not-suspicious;sid:0;)


(Snort.conf)

ruletype authorised_traffic
{
	type pass
	output log_null
}

ruletype erroneous_traffic
{
type alert
output database: alert, mysql, sensor_name=xxxxxxxx user=xxxxxx
password=xxxxxxxx dbname=snort host=xxxxxxxx
}

config order: alert authorised_traffic erroneous_traffic



Some notes on the above :

authorised_traffic cannot be setup using flow:established directives as an
alert will be generated when the session is "being" established
erroneous_traffic catches all protos not only tcp
all SIG based rules get processed before authorised_traffic &
erroneous_traffic due to "config order: alert authorised_traffic
erroneous_traffic" in snort.conf

I hope that helps a lil

regards

Sean



-----Ursprüngliche Nachricht-----
Von: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net]Im Auftrag von David
Calder
Gesendet: Mittwoch, 3. Dezember 2003 12:05
An: snort-sigs at lists.sourceforge.net
Betreff: [Snort-sigs] Rule order question


I've got a scenario which I haven't yet been able to find a working snort
setup for so I'm hoping someone on the list can come up with a solution.

I have a dmz which  I need to monitor very closely with my snort sensor
(lets say its 192.168.0.0/24) .  My snort sensor is only logging to syslog
and I do not want to use a database.  I know the exact connectivity profile
of the hosts on this dmz (say there are three hosts .2, .3 and .4, and the
gateway .1) and I want to alert on any malicious connection attempts by
these hosts AND ANY connection attempts by these hosts that do not fit my
connectivity profile.

To complete the picture lets say that the connectivity profile is as
follows:

.2 is allowed to connect to .3 and .4 on http only
.3 is allowed to connect to .2 on http only

An obvious way of doing this would be to define rules with a pass action for
the connectivity which is allowed and an audit type rule to catch all other
type of connections.  However this would mean that none of the rules which
identify malicious activity would be triggered for connections that match
the connectivity profile.  So a malicious connection from .2 to .3 on http
would be missed.  So I have had to discount this solution.

Another way would be to define my audit alert rules so that they do not
trigger on connections that match the connectivity profile using groups in
the audit alert rules for example
alert tcp !$httpsrcs any -> !$httpdsts 80 (msg:"HTTP AUDIT RULE";)
alert tcp 192.168.0.0/24 -> any !80 (msg:"ALL BUT HTTP AUDIT RULE";)

but this does not maintain granularity and isn't scalable, the example I
have given above will not alert if .3 connects to .4 and will match http
traffic originating from outside the subnet which I dont want to trigger on.

Has anyone else done this or know how to do it.  I want to do this using
snort not after snort has processed it.

TIA,

dbcalder

_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today!
http://www.msn.co.uk/messenger



-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list