[Snort-users] (no subject)

JP Vossen vossenjp at ...8683...
Fri Dec 19 21:15:01 EST 2003


> Subject: Re: [Snort-users] Rule order?
> From: Ralf Spenneberg <lists at ...9778...>
> To: Toby Rodwell <trodwell at ...10764...>
> Cc: Snort-Users <snort-users at lists.sourceforge.net>
> Date: 18 Dec 2003 13:46:42 +0100
>
> Am Mit, 2003-12-17 um 21.32 schrieb Toby Rodwell:
> > I think I might be missing something basic here.  I'm getting to grips with
> > Snort, trying out some really simple configs.  I'm use to rules being run in
> > the sequence they appear, so I my snort.conf is currently this:-

> Unfortunately, thats not the way snort evaluates the rules. Depending on
> the Snort version the rules are reordered differently.
> Snort always reorders the rules to increase its performance. It
> practically builds its rule engine on the fly. If you are using Snort
> 2.x there is a whitepaper on the Snort homepage explaining the
> multirule-engine.

I have had *limited* success in getting rules to work in the order I want by
using the config order directive like so:

/etc/snort/snort.conf:

[...]
# Custom rule ordering so that rules trigger in the order needed.
config order: alert log payload handshake catchall
[...]

# Custom rule to allow rule ordering so that rules trigger in the order needed.
ruletype payload
{
 type alert
 output database: alert, mysql, dbname=snort host=......
}
# Custom rule to allow rule ordering so that rules trigger in the order needed.
ruletype handshake
{
 type alert
 output database: alert, mysql, dbname=snort host=......
}
#
# Custom rule to allow rule ordering so that rules trigger in the order needed.
ruletype catchall
{
 type alert
 output database: alert, mysql, dbname=snort host=......
}
[...]


Then my rules file has stuff like this:

payload tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming TCP with
payload"; dsize:>0; session: printable; sid:1000008;)

payload tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing TCP with
payload"; dsize:>0; session: printable; sid:1000009;)

handshake tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming TCP no
payload"; dsize:0; sid:1000010;)

handshake tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing TCP no
payload"; dsize:0; sid:1000011;)

catchall icmp any any -> any any (msg:"HPT-Catch All ICMP"; session:
printable; sid:1000012;)


IIRC this did not work 100%, but it's been a while and looking at this with
fresh eyes I saw some bugs (corrected in these examples), so this may work
better than I thought.  This particular setup is also running Snort 2.0.1
(yeah, yeah, I know), but there is no reason I'm aware of that this won't work
in 2.1.0.  YMMV.  My goal was to capture everything from a honeypot but to
"classify" things for easier viewing in ACID.


Search the archives [0] for "rule order" too, that might help.  I've asked
this question a few times, with the stuff above the best I've been able to
do.

Later,
JP

[0] http://marc.theaimsgroup.com/?l=snort-users
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?





More information about the Snort-users mailing list