[Snort-users] Newbie (well sort of) to snort......

Joel Esler joel.esler at ...1935...
Fri Mar 17 14:43:03 EST 2006


You have some really good questions here.

1. How the order of rules is maintained.
2. AND/OR statements within rules
3. How to ignore false positives.
4. You want to have multiple rules trigger on the same traffic.


1. I am going to refer you, and, everyone else that is interested in how our
current Rule Optimizer and Multi-Rule Inspection Engine and it¹s various
algorithms, to the whitepapers we have published on snort.org..
http://www.snort.org/docs/#devel  They are written by Marc Norton and Dan
Roelker.  Two guys that are on our engineering team, and work really hard on
the ³Packet Matching engine².  So check out those papers at the link, and
that should help you a lot.
   2.  Read those whitepapers first and that should explain a few things, if
you still have questions, write the list back :)
   3.  How to ignore false positives.  Okay, so you want to look for ³rm%20²
but not ³Form%20².  Makes sense, however, before we proceed down the road
of editing rules and such, lets get a couple things out of the way.  A) What
version of Snort are you running?  And B) Are you running the latest rule
pack available by registration at www.snort.org/rules?
   4. Refer to the above two questions first.

Please respond to the list so that everyone is available to help!

Joel Esler

On 3/17/06 5:23 PM, "SAWYER Charlotte M" <Charlotte.M.Sawyer at ...13729...>
said unto me:

> I've searched the internet and email list archives and found some near
> answers, but nothing that definitively answered my question.
> I've read some of the stuff on RTN/OTN parsing and it didn't help me much.
> Sorry.
> I understand that the .conf file and rules files are read into a decision
> tree-linked list memory environment for snort to work with.  What I'm not so
> clear on is if the order of the rules is maintained when it's loaded in.
> One reference (don't remember now where I saw it) said that the rules files
> can be considered as AND statements and the rules with in a particular file
> can be considered OR statements.
> I've been experimenting with adding rules to ignore some traffic that is
> generating false positives.  In one situation I want to ignore traffic that
> ALMOST matches the web-attacks rm command alert.  I'm seeing a fair amount of
> alerts where the rm%20 is actually a part of Form%20 or some other string.
> I'd like to not have to review those alerts but I don't want to select based
> on IP, I want to check for the content and not alert if it has Form%20 in it.
> Because I'm new to editing rules, I wanted to have the regular rule trigger as
> well as my changed one.  Guest that's not an option.
> Anyway, the results were not what I expected.......I didn't see any alerts
> with Form%20 in them, but neither did I see the ones that would match on
> Confirm%20.
> I'm sooo confused.  :-)  Thanks in advance for any help/suggestions/etc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060317/06fe4d67/attachment.html>

More information about the Snort-users mailing list