[Snort-users] rule variables

Jason Brvenik jasonb at ...1935...
Fri Oct 6 21:20:44 EDT 2006



katsumi liquer wrote:
> Hello everyone,
> 
> I have some questions about writing Snort rules that I can't seem to
> find answers for. First is it possible to use the src ip address of a
> packet in the rule as a variable? Does snort expose any information
> about a packet to be used inside the rule? For example I want to make
> an 'activate/dynamic' rule that first checks for an incoming TCP
> connection to a certain port port, and then watches for a specific UDP
> packet from that same original SRC  -- so, at the moment it looks like
> this:
> 
> activate tcp $SERVERS any -> 10.1.1.34 3340 (activates: 1;)
> 
> That part is just meant as a 'trigger' to make Snort watch for a
> secondary event which is the real meat:
> 
> dynamic udp $SERVERS 90 -> any any (msg: "activated TRUE"; content:
> "|05a013f011e|"; content: "|00000a9|"; rawbytes; content:
> "superwolfgang.com"; classtype: unsuccessful-user; rev: 3;
> sid:1000902; activated_by: 1; count: 50;)
> 
> I have two questions: first, should this rule even work? No matter how
> I do it, snort always reads this when it starts up:
> 
> snort[8825]: WARNING: an activation rule with no dynamic rules matched!
> 
> Since I only have one activate/dynamic rule, I guessing it is
> referring to the above. The only reason I can see it shouldn't work on
> paper is perhaps that the activate portion is TCP and the dynamic
> portion is UDP -- can you mix the two?

- Activate/Dynamic is nearly a dead code path. flowbits and tag are
preferred.

- The rules language does not allow for saving of data and using it
across different rules as you would like.

> 
> Second, this rule is really only half accurate because the second part
> could potentially match traffic coming from any source -- is it
> possible to say "use the SRC ip which was intercepted in the
> 'activate' rule" ? ie, something like:
> 
> dynamic udp $ACTIVATE_SRC 90 -> any any (msg: "activated TRUE";
> content: "|05a013f011e|"; content: "|00000a9|"; rawbytes; content:
> "superwolfgang.com"; classtype: unsuccessful-user; rev: 3;
> sid:1000902; activated_by: 1; count: 50;)
> 
> I know these are a lot of questions -- I am just trying to figure out
> the best way to make what seem to be 'compound' rules, but their is
> not much documentation about it. I greatly appreciate any information
> at all that anyone has.

Please keep asking questions. What you want to do is possible within
Snort but it requires a little code to do it. A preprocessor is probably
the shortest path to resolution but you could also create a detection
plugin that implements variable functionality.

> 
> Thank you very much,
> 
> katsu
> 




More information about the Snort-users mailing list