[Snort-users] Rules: flags burp using 2.0.2?

JP Vossen vossenjp at ...8683...
Mon Sep 22 22:54:05 EDT 2003


> Date: Mon, 22 Sep 2003 11:16:52 -0700
> From: John Sage <jsage at ...2022...>
> To: Matt Kettler <mkettler at ...4108...>
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Rules: flags burp using 2.0.2?
>
> On Mon, Sep 22, 2003 at 11:36:36AM -0400, Matt Kettler wrote:
>
> > At 08:31 PM 9/21/2003, John Sage wrote:
> > >Rather than picking up these, it drops through to the generic TCP:135
> > >rule I've got, which confuses what I'm trying to do...
> > >
> > >Wha' happen' between 1.9.1 and here, flags-wise?
> >
> > That sounds more like a rule-ordering difference than anything else. Snort
> > does not necessarily process rules in the same order that they appear in
> > your rule files, although that is somewhat of a factor.

I have been struggling with the same issue since 1.9.1.  It definitely CHANGED
in 2.0 but just how I can't say.  This is also a pretty low priority for me,
so I've not spent much time on it.

However, I did have some limited success as follows.  I created various custom
rule TYPES, with the same definition but different names.  I then used the
'config order' directive to force rule order.  This *almost* works--there are
still some Weird Things that I have not tracked down yet.  YMMV.

<snort.conf stuff>
# Custom rule to allow rule ordering so that rules trigger in the order needed.
ruletype payload
{
 type alert
 output database: alert, mysql, dbname=snort ... ignore_bpf=yes
}
#
# Custom rule to allow rule ordering so that rules trigger in the order needed.
ruletype handshake
{
 type alert
 output database: alert, mysql, dbname=snort ... ignore_bpf=yes
}

[...]

# Custom rule ordering so that rules trigger in the order needed.
config order: alert log payload handshake catchall

<snort.conf stuff>

That config is OK for me because I have few "sets" of rules to order (it's a
honeypot-kind-of-thing), but is not real scalable.  It also doesn't quite work
100% but I don't remember how it's broken nor have I played since soon after
2.0.1 came out.  I have NOT had time to test 2.0.2.  It *almost, but not
quite, worked for 2.0.0 and 2.0.1.  I did not try this with 1.9.1.

HTH,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?





More information about the Snort-users mailing list