[Snort-users] modifying priority on certain rules

Christina McAghon cmcaghon at ...13708...
Tue Feb 21 12:51:03 EST 2006


I am running snort v2.3.3.  I would like to change the priority of a few 
certain rules (without affecting the default classification.config 
priority).  I thought I could achieve this by copying the rule from its 
rule file into local.rules.  In local.rules, I added the priority 
classification.  Here's an example:

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ 
unicode share access"; flow:established,to_server; content:"|00|"; 
depth:1; content:"|FF|SMBu"; within:5; distance:3; 
byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; 
byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; 
distance:2; nocase; flowbits:set,smb.tree.connect.ipc; 
classtype:protocol-command-decode; priority:2; sid:2466; rev:7;)

The problem is that this rule doesn't trigger.  If I modify the rule to 
not include the sid and rev, it will trigger:

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ 
unicode share access"; flow:established,to_server; content:"|00|"; 
depth:1; content:"|FF|SMBu"; within:5; distance:3; 
byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; 
byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; 
distance:2; nocase; flowbits:set,smb.tree.connect.ipc; 
classtype:protocol-command-decode; priority:2;)

However, I would like to keep the sid information.  Is that possible?  Or 
is there a better way to achieve this?

Thanks,
Christina
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060221/71dae242/attachment.html>


More information about the Snort-users mailing list