[Snort-users] 3 questions on rules

Erek Adams erek at ...950...
Thu May 15 10:45:09 EDT 2003

On Thu, 15 May 2003 Garrett.Allen at ...8966... wrote:

> making haste slowly with snort.  getting tons (u.s., not metric) of alerts.
> so trying to winnow out the chaff.
> presently have a snort 2.0.0 (build 72) install running on a rh 8 linux
> distribution, upgraded from snort 1.9.1.
> 1. looking at the snort signature db i see that for sid 2102, netbios smb
> smb_com_transaction max data count of 0 dos attempt, the summary section
> states "this rule has been deprecated due to an inordinately large number of
> false positives."  in the netbios.rules, however, i see still see the rule
> so either 1. i have the wrong rules or 2. i should remove it as it is
> deprecated and generating a lot of unneeded alarms.  i haven't approached
> rule writing so is there a good howto available if i need to go this route
> (or is it as simple as deleting the appropriate lines).

You don't have the wrong rules.  That rule is enabled in the default
ruleset.  Yes, it does say 'deprecated', but I don't know if it should be
removed or what.  That would be one for our Benevolent Rule Nazi, Brian.

If it's generating a lot of falsies, then you might just want to comment
it out by placing a # infront of alert.  If you do that, just be sure to
remember that when you update your rules, or else you'll be right back
where you started.

Rule writing doc?  Easy.  Right here [0].

> 2. is there a way to determine the version of rules that are in use.  i
> checked a couple of files and didn't see anything that would indicate a
> version.

Not for the rules as a whole.  There is however a 'Revision' inside of
each rule.  If you have an older revision, then there's a newer rule.  :)
BUT, don't just update crazily.  Make sure you have the right rules for
the right version.  As Snort grows and changes, there are changes to the
rules language that may not work the same or even be present in different
versions of Snort.  If you really want to keep tabs on the rules, sign up
for the snort-sigs list.  That's where all things rule related will be...

> 3. i checked the snort signature database but did not see an explanation for
> p2p gnutella get.  it has a low severity but again i get tons of them.  any
> help on understanding this would be appreciated.

  alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
  flow:to_server,established; content:"GET "; offset:0; depth:4;
  classtype:policy-violation; sid:1432; rev:4;)

Basically that looks for a 'GET ' in a packet that's not on port 80.  The
packet must also be headed 'to_server' and be part of an established
connection (Three way handshake is completed).  The 'GET ' must also be
within the first 4 bytes of the packet.

Hope that helps!

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://www.snort.org/docs/writing_rules/

More information about the Snort-users mailing list