[Snort-users] Snort 2.8 and SID on pass- and alert-rules

Vidar Hoel vho at ...14224...
Thu Oct 18 09:42:01 EDT 2007


David J. Bianco wrote:
> You've never been allowed to have duplicate SIDs, unless they both also
> have the "rev:" tag to indicate revision.

Yes, we have. Here is an example of rules we have used since up until 2.8:

alert tcp $HOME_NET any -> !$HOME_NET any (msg:"ALERT TCP traffic on
illegal port, possible new service exposed"; flags:SA; classtype:
proseq-alert; sid: 1000100; rev:1;)

pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.83 any (msg:"ALERT TCP
traffic on illegal port, possible new service exposed"; flags:SA;
classtype: proseq-alert; sid: 1000100; rev:1;)

pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.84 any (msg:"ALERT TCP
traffic on illegal port, possible new service exposed"; flags:SA;
classtype: proseq-alert; sid: 1000100; rev:1;)

pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.94 any (msg:"ALERT TCP
traffic on illegal port, possible new service exposed"; flags:SA;
classtype: proseq-alert; sid: 1000100; rev:1;)

As you see, we have three pass-rules and an alert rule, all with same
sid and rev. And this works perfectly.

> BTW, if you're going to do this, you might as well just disable the
> original rule entirely.  If you're going to pass the matching traffic,
> it's just more efficient to not have the rule at all.

As you see of the example above, we do not pass the rule 1:1, but for
some of the traffic it would match.

Regards,
Vidar Hoel
Telenor SOC


> Vidar Hoel wrote:
>> Hi,
>>
>> We have just tried Snort 2.8 on one of our test-sensors, and discovered
>> a new "feature" not mentioned in the release notes:
>>
>> As an example: In our ruleset, we have one alert-rule with SID 1234. But
>> for this rule, we create some pass-rules, also with SID 1234. This way
>> it's easy to keep tracking of which pass-rules an alert-rule have, and
>> vice versa.
>>
>> But with Snort 2.8, this is not possible. Snort 2.8 will not start, and
>> complain that we already have a rule with SID 1234.
>>
>> What is the reason for this change, since it's not mentioned in the
>> release notes? Or is it just a bug?
>>
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 




More information about the Snort-users mailing list