[Snort-users] Newbie (well sort of) to snort......
joel.esler at ...1935...
Fri Mar 17 14:43:03 EST 2006
You have some really good questions here.
1. How the order of rules is maintained.
2. AND/OR statements within rules
3. How to ignore false positives.
4. You want to have multiple rules trigger on the same traffic.
1. I am going to refer you, and, everyone else that is interested in how our
current Rule Optimizer and Multi-Rule Inspection Engine and it¹s various
algorithms, to the whitepapers we have published on snort.org..
http://www.snort.org/docs/#devel They are written by Marc Norton and Dan
Roelker. Two guys that are on our engineering team, and work really hard on
the ³Packet Matching engine². So check out those papers at the link, and
that should help you a lot.
2. Read those whitepapers first and that should explain a few things, if
you still have questions, write the list back :)
3. How to ignore false positives. Okay, so you want to look for ³rm%20²
but not ³Form%20². Makes sense, however, before we proceed down the road
of editing rules and such, lets get a couple things out of the way. A) What
version of Snort are you running? And B) Are you running the latest rule
pack available by registration at www.snort.org/rules?
4. Refer to the above two questions first.
Please respond to the list so that everyone is available to help!
On 3/17/06 5:23 PM, "SAWYER Charlotte M" <Charlotte.M.Sawyer at ...13729...>
said unto me:
> I've searched the internet and email list archives and found some near
> answers, but nothing that definitively answered my question.
> I've read some of the stuff on RTN/OTN parsing and it didn't help me much.
> I understand that the .conf file and rules files are read into a decision
> tree-linked list memory environment for snort to work with. What I'm not so
> clear on is if the order of the rules is maintained when it's loaded in.
> One reference (don't remember now where I saw it) said that the rules files
> can be considered as AND statements and the rules with in a particular file
> can be considered OR statements.
> I've been experimenting with adding rules to ignore some traffic that is
> generating false positives. In one situation I want to ignore traffic that
> ALMOST matches the web-attacks rm command alert. I'm seeing a fair amount of
> alerts where the rm%20 is actually a part of Form%20 or some other string.
> I'd like to not have to review those alerts but I don't want to select based
> on IP, I want to check for the content and not alert if it has Form%20 in it.
> Because I'm new to editing rules, I wanted to have the regular rule trigger as
> well as my changed one. Guest that's not an option.
> Anyway, the results were not what I expected.......I didn't see any alerts
> with Form%20 in them, but neither did I see the ones that would match on
> I'm sooo confused. :-) Thanks in advance for any help/suggestions/etc.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users