[Snort-users] announcement & questions: user space firewall

Martin Roesch roesch at ...421...
Thu Nov 30 01:17:29 EST 2000


This is correlation and we're planning on implementing something to do this
down the road.  Version 1.7 won't have it, but the version after that is what
I'm aiming for to include correlation rules.  It'll look something like this
(this is very primitive, I did up another version a while back and it had more
useful stuff in it, but it's late and I'm sick so you get the nickle tour ;)

# imap buffer overflow followed by xterm back to attacker
correlate msg: "event foo!"
{
    event 1 tcp !$HOME_NET any -> $HOME_NET 143 (content: "AUTHENTICATE";
dsize: >512;)
    event 2 tcp $HOME_NET 143 -> !$HOME_NET any (content: "root";)
    event 3 tcp $HOME_NET 6000 -> !$HOME_NET any (content: "| de ad be ef|";)
}

Something like that.


     -Marty


Dan Hollis wrote:
> 
> On Wed, 29 Nov 2000, Todd Lewis wrote:
> > On Tue, 28 Nov 2000, Martin Roesch wrote:
> > > > 5) PROPOSED CHANGES
> > > >         A) MULTIPLE ACTIONS PER RULE
> > > Ok, this doesn't look like it'd be too terribly hard to implement.  One
> > > interesting thing to consider is the interaction that this will have with
> > > Andrew Baker's multi-level alerts that will be coming out in Snort 1.7.
> > Would it be the end of the world if I added this now?  I'm eager to get this
> > work done.
> 
> How about multiple checks per rule, sort of like ipchains where you can
> chain rules together. This could cut down on false alarms by allowing more
> precise criteria for packet matching.
> 
> -Dan
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list