[Snort-sigs] logical operators and snort rules

Terence Runge terencerunge at ...1224...
Thu Jun 19 15:34:17 EDT 2003


I am trying to understand snort and logical operators within snort
rules.Specifically, how does snort read and, or, and xor?

Following are some examples to help illustrate my questions. I have
modified them to try and keep from tripping your sensors.

The MSN rules define multiple content in each rule. In order to fire, I
have been under the impression that all contents needed to be matched.
If this was not true, and only a single match was required, then a large
amount of false positives would occur.

For example, content:"MSG " would trip all three alerts. Logically, the
additional contents of either ACCEPT or REJECT would fire the correct
rule.

alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file
transfer request"; flow:established; content:"MSG "; depth:4;
content:"Content-Type\:";nocase;distance:0;content:"text/x-msmsgsinvite"; nocase; distance:0;content:"Application-Name\:"; content:"File Transfer"; nocase; distance:0;classtype:policy-violation; sid:1986; rev:1;)

alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file
transfer accept"; flow:established; content:"MSG "; depth:4;
content:"Content-Type\:";content:"text/x-msmsgsinvite"; distance:0;
content:"Invitation-Command\:";content:"ACCEPT"; distance:1;
classtype:policy-violation; sid:1988; rev:1;)

alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file
transfer reject"; flow:established; content:"MSG "; depth:4;
content:"Content-Type\:";content:"text/x-msmsgsinvite"; distance:0;
content:"Invitation-Command\:";content:"CANCEL"; distance:0;
content:"Cancel-Code\:"; nocase; content:"REJECT";nocase; distance:0;
classtype:policy-violation; sid:1989; rev:1;)


The virus rules below are for a single type of virus, in this case
"Virus - Possible MyRomeo Worm". There are very few differences between
each rule aside from the content of each and the sid. All else is
virtually identical.This indicates to me that an or statement was not
possible, and that is the reason the rules were defined as such.

Examples of multiple rules for one type of event with single content
defined:

alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm";
content:"myromeexe"; nocase; sid:723;  classtype:misc-activity; rev:3;)

alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm";
content:"myjuliechm"; nocase; sid:724;  classtype:misc-activity; rev:3;)

alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm";
content: "blela"; nocase; sid:725;  classtype:misc-activity; rev:3;)

alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm";
content: "ILovYou"; sid:726;  classtype:misc-activity; rev:3;)

alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm";
content: "SorryHey you !"; sid:727;  classtype:misc-activity; rev:3;)

alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm";
content: "my pictu from shakeeer"; sid:728; classtype:misc-activity;
rev:3;)


Following is a test of logical operators and how I thought snort
interpreted content. Given the way I wrote the test rule, and comparing
it to the above examples, I would conclude that the rule would only fire
if both contents were seen, interpreted as an and statement.

However, when I ran the test and entered the string veritasiscool into
google, the rule fired. The same applied with just veritasisrad,
indicating interpretation as or not and. It ialso fired with both
contents, so it is not xor.

alert tcp any any -> any 80 (msg:"This is a test of Logical Operators";
content:"veritasiscool"; content:"veritasisrad";
classtype:misc-activity; sid:9900000; rev:1;)


Can anyone shed some light on this. Also, aside from depth, flow,
distance, etc., if a rule fires based on content as or statements, how
are false positives contained? If possible, can the explanation be given
using the MSN rules above as examples?

Terence





More information about the Snort-sigs mailing list