[Snort-users] Snort 2.8 and SID on pass- and alert-rules

Seth sethsec at ...11827...
Fri Oct 19 15:31:22 EDT 2007


Vidar,

I have used pass rules in the same way that you are, I just use a unique SID
to identify each of them.  If you are concerned with correlating the pass
rules to the original rule, try one of these two options:

1) Use a comment in your pass.rules or local.rules file which identifies the
sig or sig's that you are passing
2) Use a SID scheme for your pass rules that will associate them with the
original SID.

For example, start all pass rules in the 7 million range.  If SID is less
than 1,000,000 just add the SID from the original rule after the 7.  If the
SID is greater than 1,000,000 just replace the first digit with a 7 on your
pass rule.

Also, remember that pass rules can be use for a lot more than limiting a
alert SID on a 1 to 1 basis.

Seth Art


On 10/19/07, Vidar Hoel <vho at ...14224...> wrote:
>
> If you are right, and I have no reason to believe otherwise, what then
> the point of pass-rules?
> I mean, if it's not working they way we have used these pass-rules, what
> other ways do people use pass-rules?
>
> Regards,
> Vidar Hoel
> Telenor SOC
>
> David J. Bianco wrote:
> > This was never really supposed to work, and if it did work, it must have
> > been a bug in Snort.  I suggest checking out the threshold.conf file
> > for details on how to keep the alerts enabled but suppress them for
> > certain hosts.  That's probably the most straightforward way of doing
> > what you want.
> >
> >       David
> >
> > Vidar Hoel wrote:
> >> David J. Bianco wrote:
> >>> You've never been allowed to have duplicate SIDs, unless they both
> also
> >>> have the "rev:" tag to indicate revision.
> >> Yes, we have. Here is an example of rules we have used since up until
> 2.8:
> >>
> >> alert tcp $HOME_NET any -> !$HOME_NET any (msg:"ALERT TCP traffic on
> >> illegal port, possible new service exposed"; flags:SA; classtype:
> >> proseq-alert; sid: 1000100; rev:1;)
> >>
> >> pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.83 any (msg:"ALERT TCP
> >> traffic on illegal port, possible new service exposed"; flags:SA;
> >> classtype: proseq-alert; sid: 1000100; rev:1;)
> >>
> >> pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.84 any (msg:"ALERT TCP
> >> traffic on illegal port, possible new service exposed"; flags:SA;
> >> classtype: proseq-alert; sid: 1000100; rev:1;)
> >>
> >> pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.94 any (msg:"ALERT TCP
> >> traffic on illegal port, possible new service exposed"; flags:SA;
> >> classtype: proseq-alert; sid: 1000100; rev:1;)
> >>
> >> As you see, we have three pass-rules and an alert rule, all with same
> >> sid and rev. And this works perfectly.
> >>
> >>> BTW, if you're going to do this, you might as well just disable the
> >>> original rule entirely.  If you're going to pass the matching traffic,
> >>> it's just more efficient to not have the rule at all.
> >> As you see of the example above, we do not pass the rule 1:1, but for
> >> some of the traffic it would match.
> >>
> >> Regards,
> >> Vidar Hoel
> >> Telenor SOC
> >>
> >>
> >>> Vidar Hoel wrote:
> >>>> Hi,
> >>>>
> >>>> We have just tried Snort 2.8 on one of our test-sensors, and
> discovered
> >>>> a new "feature" not mentioned in the release notes:
> >>>>
> >>>> As an example: In our ruleset, we have one alert-rule with SID 1234.
> But
> >>>> for this rule, we create some pass-rules, also with SID 1234. This
> way
> >>>> it's easy to keep tracking of which pass-rules an alert-rule have,
> and
> >>>> vice versa.
> >>>>
> >>>> But with Snort 2.8, this is not possible. Snort 2.8 will not start,
> and
> >>>> complain that we already have a rule with SID 1234.
> >>>>
> >>>> What is the reason for this change, since it's not mentioned in the
> >>>> release notes? Or is it just a bug?
> >>>>
> >>>
> -------------------------------------------------------------------------
> >>> This SF.net email is sponsored by: Splunk Inc.
> >>> Still grepping through log files to find problems?  Stop.
> >>> Now Search log events and configuration files using AJAX and a
> browser.
> >>> Download your FREE copy of Splunk now >> http://get.splunk.com/
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>
> >>>
> >
> >
> >
> -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >> http://get.splunk.com/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20071019/3c45e729/attachment.html>


More information about the Snort-users mailing list