[Snort-users] rules for Snort Inline

Jeff Kell jeff-kell at ...6282...
Mon Sep 4 12:47:49 EDT 2006


Risto Vaarandi wrote:
> Since testing rules one by one involves a lot of time, I started to look 
> for rule collections designed specifically for Snort Inline, and located 
> the rulesets at BleedingSnort (http://www.bleedingsnort.com/rules/). My 
> question is - are there any similar projects around for creating rules 
> for Snort Inline?
> I understand that for some rules it is difficult to verify that they 
> don't block anything legitimate, yet there could be rules which almost 
> never produce false positives. If someone has created a collection of 
> such rules, I'd be thankful for the pointers.
There are several "tweaks" available for snort rules that require
altering the original rules (inline, flexresp, snortsam, etc) and still
other keywords that appear in the basic rules themselves (threshold)
that require site-specific tweaking.  There really isn't a "one size
fits all" configuration, especially when several of these keywords are
combined.

The result is that every signature update requires a good deal of
"post-processing" to reapply your custom tweaks.  Oinkmaster can
integrate a lot of this into the update cycle, but not all.

Some of these 'tweaks' can be done outside the rules themselves... e.g.,
threshold.conf can be used in lieu of the threshold: keyword,
sid-block.map can be used in lieu of the fwsam: keyword, etc.  This
helps to separate the 'customized' components from the basic rules, but
they aren't integrated into oinkmaster.

Thresholds would be a good place for variable substitution, but in the
general rules, not used.  Two examples here might be what you consider
to be a "brute force" attack - 'x' attempts in 'y' seconds - but all of
the brute force type signatures have hardcoded values.  Another is the
spyware signatures, they are setup to alert only once every 'x' seconds. 

Then there are 'related' tweaks -- I'd like to change the classification
of every sig I changed to drop, or fwsam, so that they would stand out
in reports.

Currently I don't know of a good toolset (other than oinkmaster) of
managing your local tweaks, but would love to hear of any alternatives.

Jeff





More information about the Snort-users mailing list