[Snort-users] creating custom rule actions for each DMZ

Jacob, Raymond A Jr raymond.jacob at ...7622...
Wed Nov 24 14:34:41 EST 2004


There is a sensor  between an edge router the premisis distribution router. Traffic from say 3DMZ's plus the intranet is captured by
a snort ids.
We would like to separate the alerts based on DMZ Network address of the alert. I had thought I could collect all the
alerts in one database and create an acid.php script for each DMZ and create an acid database
for DMZ. While I would love the challenge, the mind is strong but the programming skills are weak.
 An senior administrator suggested that I define a  ruletype for each DMZ.
Questions: 
1. Assuming I have 2000 rules, if I were to implement the following for 3 DMZs
I would have a total of 8000 rules. Would this many rules affect a snort ids sensor's performance?
I realize that the answer to my question depends on how the rule lists are implemented.
If the rules were in a linearly linked list I know the performance would be affected.
In a Btree, where the more specific rule lists are tried first then the time
to access any rule should be constant and the performance should not be affected?

2. Is the syntax correct in my Example snort.conf and snort rules correct?

3. Is there a better way to create rules that send alerts to a particular database
based on the DMZ network address?


#Example excerpt of snort.conf
ruletype DMZ1_alert
{
    type alert
    output alert_syslog: LOG_AUTH LOG_ALERT
    output database: log, mysql, user=snort dbname=dmz1 host=localhost
}
ruletype DMZ2_alert
{
    type alert
    output alert_syslog: LOG_AUTH LOG_ALERT
    output database: log, mysql, user=snort dbname=dmz3 host=localhost
}
ruletype DMZ3_alert
{
    type alert
    output alert_syslog: LOG_AUTH LOG_ALERT
    output database: log, mysql, user=snort dbname=dmz3 host=localhost
}


var DMZ1_NET [192.168.1.0/24,10.1.1.0/24]

var DMZ1_NET [192.168.2.0/24,10.1.2.0/24]

var DMZ1_NET [192.168.3.0/24,10.1.3.0/24]

var RULE_PATH /snort/rules
var DMZ1 DMZ1_NET
var DMZ2 DMZ2_NET
var DMZ3 DMZ3_NET

include $RULE_PATH/exploit.rules
include $RULE_PATH/$DMZ1/exploit.rules
include $RULE_PATH/$DMZ2/exploit.rules
include $RULE_PATH/$DMZ3/exploit.rules
----------------------------
Example of a few Snort Rules.
/snort/rules/exploit.rules
alert tcp any any -> any any (msg:"Possible  exploit"; content:"|90|";  \
offset:40; depth:75;)

/snort/rules/DMZ1_NET/exploit.rules
DMZ1_alert tcp any any -> $DMZ1_NET any (msg:"Possible  exploit"; content:"|90|";  \
offset:40; depth:75;)

/snort/rules/DMZ2_NET/exploit.rules
DMZ2_alert tcp any any -> $DMZ2_NET any (msg:"Possible  exploit"; content:"|90|";  \
offset:40; depth:75;)

/snort/rules/DMZ3_NET/exploit.rules
DMZ3_alert tcp any any -> $DMZ3_NET any (msg:"Possible  exploit"; content:"|90|";  \
offset:40; depth:75;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041124/a56d40a6/attachment.html>


More information about the Snort-users mailing list