[Snort-users] modifying priority on certain rules

sekure sekure at ...11827...
Tue Feb 21 14:00:02 EST 2006


Try oinkmaster

On 2/21/06, Christina McAghon <cmcaghon at ...13708...> wrote:
>
> I am running snort v2.3.3.  I would like to change the priority of a few
> certain rules (without affecting the default classification.config
> priority).  I thought I could achieve this by copying the rule from its rule
> file into local.rules.  In local.rules, I added the priority classification.
>  Here's an example:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$
> unicode share access"; flow:established,to_server; content:"|00|"; depth:1;
> content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative;
> pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24
> 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc;
> classtype:protocol-command-decode; priority:2; sid:2466;
> rev:7;)
>
> The problem is that this rule doesn't trigger.  If I modify the rule to not
> include the sid and rev, it will trigger:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$
> unicode share access"; flow:established,to_server; content:"|00|"; depth:1;
> content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative;
> pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24
> 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc;
> classtype:protocol-command-decode; priority:2;)
>
> However, I would like to keep the sid information.  Is that possible?  Or is
> there a better way to achieve this?
>
> Thanks,
> Christina




More information about the Snort-users mailing list