[Snort-users] Snort 2.8 and SID on pass- and alert-rules

Vidar Hoel vho at ...14224...
Fri Oct 19 03:30:44 EDT 2007


If you are right, and I have no reason to believe otherwise, what then
the point of pass-rules?
I mean, if it's not working they way we have used these pass-rules, what
other ways do people use pass-rules?

Regards,
Vidar Hoel
Telenor SOC

David J. Bianco wrote:
> This was never really supposed to work, and if it did work, it must have
> been a bug in Snort.  I suggest checking out the threshold.conf file
> for details on how to keep the alerts enabled but suppress them for
> certain hosts.  That's probably the most straightforward way of doing
> what you want.
> 
> 	David
> 
> Vidar Hoel wrote:
>> David J. Bianco wrote:
>>> You've never been allowed to have duplicate SIDs, unless they both also
>>> have the "rev:" tag to indicate revision.
>> Yes, we have. Here is an example of rules we have used since up until 2.8:
>>
>> alert tcp $HOME_NET any -> !$HOME_NET any (msg:"ALERT TCP traffic on
>> illegal port, possible new service exposed"; flags:SA; classtype:
>> proseq-alert; sid: 1000100; rev:1;)
>>
>> pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.83 any (msg:"ALERT TCP
>> traffic on illegal port, possible new service exposed"; flags:SA;
>> classtype: proseq-alert; sid: 1000100; rev:1;)
>>
>> pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.84 any (msg:"ALERT TCP
>> traffic on illegal port, possible new service exposed"; flags:SA;
>> classtype: proseq-alert; sid: 1000100; rev:1;)
>>
>> pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.94 any (msg:"ALERT TCP
>> traffic on illegal port, possible new service exposed"; flags:SA;
>> classtype: proseq-alert; sid: 1000100; rev:1;)
>>
>> As you see, we have three pass-rules and an alert rule, all with same
>> sid and rev. And this works perfectly.
>>
>>> BTW, if you're going to do this, you might as well just disable the
>>> original rule entirely.  If you're going to pass the matching traffic,
>>> it's just more efficient to not have the rule at all.
>> As you see of the example above, we do not pass the rule 1:1, but for
>> some of the traffic it would match.
>>
>> Regards,
>> Vidar Hoel
>> Telenor SOC
>>
>>
>>> Vidar Hoel wrote:
>>>> Hi,
>>>>
>>>> We have just tried Snort 2.8 on one of our test-sensors, and discovered
>>>> a new "feature" not mentioned in the release notes:
>>>>
>>>> As an example: In our ruleset, we have one alert-rule with SID 1234. But
>>>> for this rule, we create some pass-rules, also with SID 1234. This way
>>>> it's easy to keep tracking of which pass-rules an alert-rule have, and
>>>> vice versa.
>>>>
>>>> But with Snort 2.8, this is not possible. Snort 2.8 will not start, and
>>>> complain that we already have a rule with SID 1234.
>>>>
>>>> What is the reason for this change, since it's not mentioned in the
>>>> release notes? Or is it just a bug?
>>>>
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc.
>>> Still grepping through log files to find problems?  Stop.
>>> Now Search log events and configuration files using AJAX and a browser.
>>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 




More information about the Snort-users mailing list