[Snort-sigs] Re: "bad guy" tagging

Martin Olsson elof at ...1288...
Fri Jul 18 07:15:32 EDT 2003


On Thu, 17 Jul 2003, Brian wrote:
> On Thu, Jul 17, 2003 at 12:15:37PM +0200, Martin Olsson wrote:
> > Ok, it might not be the most beautiful solution, but putting this standard
> > word first in the msg-tag works.
> Snort has a meta-data stored in keywords.  References are a perfect example
> of meta-data that is handled in a keyword.  Those that want to use the
> meta-data can.  Those that don't, don't.
> Requiring parsing of messages for applications that want the support
> is a nasty hack that I'd love to avoid.

Me too!
What's your suggestion in this case? Alternative 1, 2 or something else?
I think alternative 2 will work fine if all rules are updated with the new
reference.

---------------

1. Adding a completely new tag that only accept three keywords: "src",
"dst" or "any".

Example:
  (msg:"foo"; offender:"src"; ...

---------------

2. Re-use the reference system for "offender tracking", even though this
is not strictly speaking a reference like the others.

Example:
First we have to add a new reference to etc/reference.config:
    offender	http://www.snort.org/snort-db/sid.html?offender=


We say that this reference should only have one of this three parameters:
"src", "dst" or "any".

  (msg:"foo"; reference:offender,src; reference:arachnids,999; ...

The offender-reference will be put together into:
  http://www.snort.org/snort-db/sid.html?offender=src

In this example I assume that http://www.snort.org/snort-db/sid.html can
handle the new option "offender=" and not just the currently used "sid=".

"sid=" display the details about a signature (Signature, summary, impact,
detailed info, affected systems, false positives, etc)
"offender=" would display a similar page:


"offender=src":
Description:
"The source address of the logged alert is the offending part, and the
destination address is the target.
The offending part could be a hacker/cracker or just a misconfigured host
generating bad traffic.
The offender-reference is used by frontend-, statistics-, reporting- and
correlating tools."

"offender=dst":
Description:
"The destination address of the logged alert is the offending part, and
the source address is the target.
The offending part could be a hacker/cracker or just a misconfigured host
generating bad traffic.
The offender-reference is used by frontend-, statistics-, reporting- and
correlating tools."

"offender=any":
Description:
"In this alert we don't know what part, the source or destination, is the
offender. Most of the times you encounter this, it's because a snort rule
uses the bi-directional operator, making it hard to point out what part
is the bad one.
The offending part could be a hacker/cracker or just a misconfigured host
generating bad traffic.
The offender-reference is used by frontend-, statistics-, reporting- and
correlating tools."

"offender=<everything else>":
Description:
"Error: The offender-reference used in this rule uses a nonsupported
parameter. Allowed parameters are: src, dst or any
The offender-reference is used by frontend-, statistics-, reporting- and
correlating tools."

---------------






More information about the Snort-sigs mailing list