[Snort-users] rule variables

katsumi liquer katsumi at ...11827...
Fri Oct 6 20:35:49 EDT 2006


Hello everyone,

I have some questions about writing Snort rules that I can't seem to
find answers for. First is it possible to use the src ip address of a
packet in the rule as a variable? Does snort expose any information
about a packet to be used inside the rule? For example I want to make
an 'activate/dynamic' rule that first checks for an incoming TCP
connection to a certain port port, and then watches for a specific UDP
packet from that same original SRC  -- so, at the moment it looks like
this:

activate tcp $SERVERS any -> 10.1.1.34 3340 (activates: 1;)

That part is just meant as a 'trigger' to make Snort watch for a
secondary event which is the real meat:

dynamic udp $SERVERS 90 -> any any (msg: "activated TRUE"; content:
"|05a013f011e|"; content: "|00000a9|"; rawbytes; content:
"superwolfgang.com"; classtype: unsuccessful-user; rev: 3;
sid:1000902; activated_by: 1; count: 50;)

I have two questions: first, should this rule even work? No matter how
I do it, snort always reads this when it starts up:

snort[8825]: WARNING: an activation rule with no dynamic rules matched!

Since I only have one activate/dynamic rule, I guessing it is
referring to the above. The only reason I can see it shouldn't work on
paper is perhaps that the activate portion is TCP and the dynamic
portion is UDP -- can you mix the two?

Second, this rule is really only half accurate because the second part
could potentially match traffic coming from any source -- is it
possible to say "use the SRC ip which was intercepted in the
'activate' rule" ? ie, something like:

dynamic udp $ACTIVATE_SRC 90 -> any any (msg: "activated TRUE";
content: "|05a013f011e|"; content: "|00000a9|"; rawbytes; content:
"superwolfgang.com"; classtype: unsuccessful-user; rev: 3;
sid:1000902; activated_by: 1; count: 50;)

I know these are a lot of questions -- I am just trying to figure out
the best way to make what seem to be 'compound' rules, but their is
not much documentation about it. I greatly appreciate any information
at all that anyone has.

Thank you very much,

katsu




More information about the Snort-users mailing list