[Snort-users] Relation between events and rules set.

Julio Jaime jjaime at ...2272...
Thu Apr 24 14:29:02 EDT 2003


The problem is that I will need modified all rules, and I will not have
standard set of rules.
Other problem, I will need parsing each signature definition to find the
information. The solution is add other
field with this information to the alert.


-----Mensaje original-----
De: bmcdowell at ...7861... [mailto:bmcdowell at ...7861...]
Enviado el: Jueves, 24 de Abril de 2003 05:19 p.m.
Para: snort-users at lists.sourceforge.net
Asunto: RE: [Snort-users] Relation between events and rules set.



I'm a rules-newbie, but could you not just Find-Replace `(msg:"` with
`(msg:"From X ruleset - `?  It might take writing a script, but then the
alert should (maybe) fire as `From X ruleset - TCP inbound to 80 http`
rather than just `TCP inbound to 80 http`.  Right?

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Julio Jaime
Sent: Thursday, April 24, 2003 2:33 PM
To: 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] Relation between events and rules set.


Hi John,

       Im sorry, english is not my language and is difficult to me explain
it.

       You have differents set of rules :

       web-cgi.rules, web-coldfusion.rules, web-frontpage.rules,
web-iis.rules, web-misc.rules, x11.rules... etc.

       The events trigger specific rules ( rules on these set of rules ).

       Ex : WEB-IIS cmd.exe access ---> on web-iis.rules

       The only reference to the set of rules on snort alert is the msg
header, and is not reliable. ( ex. on web-misc.rules you have msg with
WEB-MISC and WEB-PHP... )

        If we can to know the set of rules that trigger the events, we can
use it to calculate the event severity.

        "WEB-IIS cmd.exe access" alert is not dangerous on Apache Web
Server.

	 It's ok ?

Thanks a lot.

J.J.           

-----Mensaje original-----
De: John Sage [mailto:jsage at ...2022...]
Enviado el: Miércoles, 23 de Abril de 2003 10:10 p.m.
Para: Julio Jaime
CC: 'snort-users at lists.sourceforge.net'
Asunto: Re: [Snort-users] Relation between events and rules set.


Julio:

Let's do a little trimming:

On or about Wed, Apr 23, 2003 at 04:47:30PM -0300, Julio Jaime posited:
> Hi all,
> 
>      We are working on threath management system using snort +
> logsnorter + syslog servers, but the core is snort.

<snip>

>      I need know , how find the relation between the event and the
> set of rules that trigger it event.
>            

Is the question "which specific rule was triggered by a specific
event" ie: alert?

cd /wherever_your_snort_rules_are/
grep 'insert_phrase_from_alert' *

To wit:

[**] [1:0:0] TCP inbound to 80 http [**]
[Priority: 0]
04/21/03-18:07:00.234228 12.84.131.147:1894 -> 12.82.133.136:80
TCP TTL:120 TOS:0x0 ID:14681 IpLen:20 DgmLen:48 DF
******S* Seq: 0xDEEB0032  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[toot at ...8592... /storage/snort]$ grep 'inbound to 80' *
tcp191-local.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 80
 (msg:"TCP inbound to 80 http";)



- John
-- 
"You are in a twisty maze of weblogs, all alike."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list