[Snort-users] Snort v2 rule order help (long)

JP Vossen vossenjp at ...8683...
Wed Apr 23 22:42:06 EDT 2003

I'm setting up a honeypot on my backup DSL line and my rules don't work the
way I expect (what a shock).  I've Googled, read all the docs, FAQs (both on
Snort.org and in the v2.0.0 tarball (which seems newer)), the SourceFire Snort
v2 white papers (no real technical details), this list archives, and I've run
Jon William's Perl script [0] on the 1.9.1 rules and upgraded my snort.conf to
v2, all to no avail.  I have not looked at the source, as I will not
understand it.  My C skills are limited to Hello World.

I'm was using Snort v1.9.1, MySQL 3.23.54a-4, PHP 4.2.2-8.0.7 and ACID
0.9.6b23 (all Snort.org and RedHat 8.0 default RPMs when possible).  I have
since upgraded to Snort 2.0 (home grown RPMs since the Snort.org ones aren't
out yet).  Snort and ACID work fine, alerts go into MySQL and show up in ACID,
except for this problem.

Basically, I am trying to write a few rules for specific stuff, then have a
general catch-all (or cleanup) for anything I missed.  The idea is to make
ACID summary screens a little more meaningful by broadly categorizing packets.
(Remember-honeynet, no production traffic!)

With Snort 1.9.1 the problem was that the catch-all rule was triggering on
packets that should have triggered a more specific rule instead.  Since I
upgraded to Snort 2.0, the ONLY rule that triggers is "HPT-Catch All IP"!!!

As I said, my snort.conf is now v2.0.0, with all other rules files commented
out.  $HOME_NET is "var HOME_NET xx.xx.xx.xx/32".

Any idea what I'm doing wrong, or how I can get more or less what I want?
Also, once this is working, phase 2 is to move some of the "real" signatures
back in.  At that point I may change my HPT rules to log instead of alert.
Then the goal is still to capture EVERYTHING, but also to alert on the really
interesting stuff too.  Any thoughts here?

TIA for any thoughts as this has me quite frustrated.

# JP-HoneyPot.rules for a Honeynet/ACID "capture everydarnthing"
# 2003-04-19 JPV Upgraded to Snort 2.0.0 and broke out to new file

# "HPT-" is a prefix meaning Honeypot, just to make the rules identifiable.

# ICMP (any/all)
alert icmp any any -> $HOME_NET any (msg: "HPT-Incoming ICMP"; session: printable;)
alert icmp $HOME_NET any -> any any (msg: "HPT-Outgoing ICMP"; session: printable;)

# UDP (any/all)
alert udp any any -> $HOME_NET any (msg: "HPT-Incoming UDP"; session: printable;)
alert udp $HOME_NET any -> any any (msg: "HPT-Outgoing UDP"; session: printable;)

# TCP with payload
alert tcp any any -> $HOME_NET any (dsize:>0; msg: "HPT-Incoming TCP with payload"; session: printable;)
alert tcp $HOME_NET any -> any any (dsize:>0; msg: "HPT-Outgoing TCP with payload"; session: printable;)

# TCP with no payload
alert tcp any any -> $HOME_NET any (dsize:0; msg: "HPT-Incoming TCP no payload";)
alert tcp $HOME_NET any -> any any (dsize:0; msg: "HPT-Outgoing TCP no payload";)

# Catch-all
alert icmp any any -> any any (msg: "HPT-Catch All ICMP"; session: printable;)
alert tcp  any any -> any any (msg: "HPT-Catch All TCP";  session: printable;)
alert udp  any any -> any any (msg: "HPT-Catch All UDP";  session: printable;)
alert ip   any any -> any any (msg: "HPT-Catch All IP";   session: printable;)

Here is the relevant stuff from the ACID 35 Most Frequent Alerts (TAB
delimited, sorry about the formatting).

I first installed the box 2003-03-16 03:25:28, changed over from 1 monolithic
rule on 2003-03-20 22:22:16, and upgraded to Snort 2.0.0 on 2003-04-19
03:39:51.  Note in the middle block that "HPT-Catch All TCP" was 37%, which is
WAY too high.  But the most telling fact is that since the Snort 2.0.0 upgrade
no rule other than "HPT-Catch All IP" has fired.

<ACID 35 Most Frequent Alerts>
Signature	Total #	Src. Addr.	Dest. Addr.	First	Last
HPT-Catch All IP	5420 (4%)	1	684	2003-04-19 03:39:51	2003-04-24 01:14:55

HPT-Incoming UDP	5979 (4%)	1	4046	2003-03-20 22:34:41	2003-04-19 01:40:12
HPT-Incoming TCP no payload	59379 (41%)	930	2	2003-03-21 02:11:11	2003-04-18 23:14:59
HPT-Catch All TCP	53727 (37%)	1	4	2003-03-20 23:08:11	2003-04-18 23:14:59
HPT-Incoming TCP with payload 	10042 (7%)	1	654	2003-03-20 22:56:55	2003-04-18 23:14:56
HPT-Incoming ICMP	210 (0%)	1	59	2003-03-21 01:30:53	2003-04-18 19:06:36
HPT-Catch All UDP	4 (0%)	1	1	2003-03-21 01:40:39	2003-03-21 02:06:45
HPT-Outgoing ICMP	13 (0%)	1	1	2003-03-21 01:31:45	2003-03-21 02:03:55
HPT-Incoming TCP other flags	20 (0%)	1	5	2003-03-20 22:56:23	2003-03-21 01:31:22
HPT-Incoming TCP ACK	52 (0%)	1	6	2003-03-20 22:42:12	2003-03-21 01:31:18
HPT-Incoming TCP SYN	25 (0%)	1	5	2003-03-20 22:56:19	2003-03-21 01:31:18

Honeypot--All	9184 (6%)	803	341	2003-03-16 03:25:28	2003-03-20 22:22:16
[Other misc. junk truncated]
</ACID 35 Most Frequent Alerts>

[0] http://marc.theaimsgroup.com/?l=snort-users&m=102035091108767&w=2

JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
"The software said it requires Windows 98 or better, so I installed

More information about the Snort-users mailing list