No subject


Thu Nov 23 16:34:03 EST 2017


What I want to do is:
If packet matches IIS Specific rule: Stop - dont alert, log, etc - go to ne=
xt packet

It appears that pass rules are supposed to do that (as long as you use the =
-o flag to cause the pass rules to be evaluated before the alert & log rule=
s).

Correct??=20=20

Tim Bernhardson
Senior Technical Engineer
Certified Citrix Metaframe Administrator
Certified CyberGuard Administrator
Certified AIX 4.3 System Administrator
Sun-Maid Growers of California
7273 Murray Drive, Ste 18
Stockton, CA 95210

tbernhar at ...861...

>>> "Moyer, Shawn" <SMoyer at ...758...> 09/25/02 03:58PM >>>

Since you may not want to disable an entire set of rules (for example, IIS
rules may be relevant if you use ChiliSoft or mod_asp, and most of the
web-misc rules apply to a lot of stuff) what you probably need to do here is
look at the individual rule that fired and rewrite it in local.rules as a
pass rule, ideally just for the one host that triggered it. As an example,
if you had a site that was falsing on CGI-Calendar from web-cgi...

Your alert would be:

[**] [1:882:4] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
09/25-11:16:30.706611 X.X.X.X:3225 -> 1.1.1.1.1:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1301
***AP*** Seq: 0xE1EA0848  Ack: 0xEE63BC5  Win: 0x41FA  TcpLen: 20

You would grep for SID in your rules directory:

[root at ...864... snort]# grep sid:882 rules/*
rules/web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-CGI calendar access";flow:to_server,established;
uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882;  rev:4;)

and then copy the rule into your local.rules, rewritten as a pass for the
specific host that was triggering the rule:

/etc/snort/local.rules:

pass tcp $EXTERNAL_NET any -> X.X.X.X $HTTP_PORTS
(flow:to_server,established; uricontent:"/calendar"; nocase;)

You can remove the SID, msg-type, etc. in the rule b/c these are only
informational when alerting. Alternatively, leave the SID in or add a
comment above the rule in local.rules referencing the SID you disabled just
for record-keeping.=20

If this is what you already did previously, there may be some duplicate or
very similar sigs in web-misc that are also in the iis rules.

Anyhoo, the SID is the best way to find what sig is firing. That's what it's
for.






--shawn


> -----Original Message-----
> From: Chris Baker [mailto:extremis at ...862...]=20
> Sent: Wednesday, September 25, 2002 12:10
> To: Tim Bernhardson
> Cc: snort-sigs at lists.sourceforge.net=20
> Subject: Re: [Snort-sigs] Rules question
>=20
>=20
> I'm not sure what rule you see getting triggered, but if you are
> getting WEB-MISC alerts, then its likely due to the web-misc.rules.
>=20
> At least for me:
>=20
> -bash-2.05b# file /var/snort/rules/web-misc.rules
> /var/snort/rules/web-misc.rules: ASCII text
>=20
> -bash-2.05b# grep -i web-misc.rules /var/snort/etc/snort.conf
> include $RULE_PATH/web-misc.rules
>=20
>=20
> On Wed, Sep 25, 2002 at 09:12:39AM -0700, Tim Bernhardson wrote:
> > Delivered-To: extremis at ...862...=20
> > X-Mailer: Novell GroupWise Internet Agent 5.5.6.1
> > From: "Tim Bernhardson" <TBERNHAR at ...861...>
> > To: <snort-sigs at lists.sourceforge.net>
> > Subject: [Snort-sigs] Rules question
> > Errors-To: snort-sigs-admin at lists.sourceforge.net=20
> > X-BeenThere: snort-sigs at lists.sourceforge.net=20
> > X-Mailman-Version: 2.0.9-sf.net
> > Precedence: bulk
> > List-Help:=20
> <mailto:snort-sigs-request at lists.sourceforge.net?subject=3Dhelp>
> > List-Post: <mailto:snort-sigs at lists.sourceforge.net>
> > List-Subscribe:=20
> <https://lists.sourceforge.net/lists/listinfo/snort-sigs>,
> >=20=09
> <mailto:snort-sigs-request at lists.sourceforge.net?subject=3Dsubscribe>
> > List-Id: This is the place to talk about Snort=20
> rules/signatures <snort-sigs.lists.sourceforge.net>
> > List-Unsubscribe:=20
> <https://lists.sourceforge.net/lists/listinfo/snort-sigs>,
> >=20=09
> <mailto:snort-sigs-request at lists.sourceforge.net?subject=3Dunsubscribe>
> > List-Archive:=20
> <http://sourceforge.net/mailarchives/forum.php?forum=3Dsnort-sigs>
> > X-Original-Date: Wed, 25 Sep 2002 09:12:39 -0700
> > Date: Wed, 25 Sep 2002 09:12:39 -0700
> >=20
> > Am I doing this wrong or can't it be done?
> >=20
> > I have no IIS Servers so I don't want to be notified about=20
> IIS Specific attacks, however if I just don't include the=20
> web-iis.rules they show up as WEB-MISC alerts.  I looked=20
> through the docs and the pass rules looked like they would do=20
> it.  I made a copy of web-iis rules, changed alert to msiis=20
> and added the following lines to the file.
> >=20
> > ruletype msiis {
> >    type pass output
> >    output log_null
> > }
> >=20
> > and added the -o flag to the cmd line for snort.
> >=20
> > I am still getting the alerts as WEB-MISC..
> >=20
> > Thanks
> >=20
> > Tim Bernhardson
> > Senior Technical Engineer
> > Certified Citrix Metaframe Administrator
> > Certified CyberGuard Administrator
> > Certified AIX 4.3 System Administrator
> > Sun-Maid Growers of California
> > 7273 Murray Drive, Ste 18
> > Stockton, CA 95210
> >=20
> > tbernhar at ...861...=20
> >=20
> >=20
> >=20
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf=20
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net=20
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs=20
>=20




More information about the Snort-sigs mailing list