[Snort-users] Rules ordering question.

Williams Jon WilliamsJon at ...2134...
Wed May 1 06:57:39 EDT 2002


[This information is to the best of my recollection.  If someone more
authoritative disagrees, they're probably right :-)]

The answer is "It Depends!" :-)

Snort builds its internal rule order based on three things, the action, the
chain headers and the chain options.

Let's break it down a bit.

Take the rules:

alert tcp 1.1.1.1 80 -> 2.2.2.2 90 (msg: "Test message 1";)
alert tcp 2.2.2.2 90 -> 1.1.1.1 80 (msg: "Test message 2";)
log   tcp 3.3.3.3 80 -> 4.4.4.4 80 (flags: A+; content: "X";)
alert tcp 1.1.1.1 80 -> 2.2.2.2 90 (flags: A+;)
|---| |--------------------------| |------------------------|
action      chain header                chain options

When snort reads in this whole list, it first orders by the action (whether
alert->pass->log or pass->alert->log if the -o flag is specified on the
command line).  Next, it takes the chain headers and builds a tree, based on
the order read in from the configuration files.  In this particular case,
the tree would look like:

alert tcp 1.1.1.1 80 -> 2.2.2.2 90
	msg: "Test message 1";
	flags: A+;
alert tcp 2.2.2.2 90 -> 1.1.1.1 80
	msg: "Test message 2";
log tcp 3.3.3.3 80 -> 4.4.4.4 80
	flags: A+; content: "X";

So far so good, right?  This is where it starts getting tough.  When you get
into the snort.org ruleset, you get over 1000 rules, so now you've got to
contend with not just the two rules you've got listed but also any other
rules that have the chain header of "alert tcp $EXTERNAL_NET any ->
$HOME_NET 80".  Realistically, in order to know which, if any, of these two
rules would fire, you'd have to build your tree, find the chain header, and
read through the option nodes to see which shows up first.  Also, you'd need
to watch the rules above it in the path to make sure that there isn't a more
generic rule that would take precedence.  For example, if you had as your
first rule in your conf file, a rule that read:

alert any any -> any any (msg: "Just checking to see if snort works";)

Neither of your other rules would ever fire.

Incidentally, after hearing Marty talk about how the rule tree is built, I
attempted to build a perl script to do this.  If there's interest, I'll post
what I've got for review.  Its been useful to me in visualizing what will
happen with my traffic, as well as understanding how rule ordering affects
performance.

Jon

-----Original Message-----
From: larosa, vjay [mailto:larosa_vjay at ...3331...]
Sent: Tuesday, April 30, 2002 10:21 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Rules ordering question.


Hello,

Question about rule ordering and placement.

If I have two rules in two different rules files,

This alert is in web-iis.rules.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Test Event 1"; flags:A+;
content:"Test Message 1"; nocase; depth: 5; classtype:misc-activity; rev:1;)

This alert is in local.rules.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Test Event 2"; flags:A+;
content:"Test Message"; nocase; depth: 5; classtype:misc-activity; rev:1;)

The string is very similiar, but the local.rules entry is missing the number
"1" at the
end of the string. What rule would fire first? How would snort determine the
order in the chain for two very similiar rules?

NOTE: This question is specifically about similiar rules in DIFFERENT rules
files. I don't
want to just put the local.rules entry in to the web-iis.rules file above
Test Event 1 rule.


Thanks!

vjl








More information about the Snort-users mailing list