[Snort-users] Local rules with same sids and snort works!

fatema bannatwala fatema.bannatwala at ...11827...
Wed Nov 9 13:58:58 EST 2016


First and second in my local.rules file.
I thought the snort would read the local.rules file sequentially and hence
would encounter the rules sequentially while start up, hence was referring
"first"as first in local.rules.

~]$ less local.rules
# ------------
# LOCAL RULES
# ------------
# This file intentionally does not come with signatures.  Put your local
# additions here.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP Proxy
client detected"; flow: to_server,established; content:"X-Forwarded-";
http_header; reference:url,http://www.forensicswiki.org/wiki/Proxy_server;
classtype:policy-violation; sid:10001030; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"UDel Likely
Successful Generic Phish 2016-09-23"; flow:to_server,established;
content:"POST"; http_method; content:".php"; http_uri; content:"netid=";
depth:10; fast_pattern; http_client_body; content:"&pword="; distance:0;
classtype:trojan-activity; sid:10001030; rev:1;)


On Wed, Nov 9, 2016 at 1:52 PM, Joel Esler (jesler) <jesler at ...589...>
wrote:

> You mean, “first” and “second” in the email?  Or first and second, *as
> Snort encounters them in order on startup*?
>
> *--*
> *Joel Esler *| *Talos:* Manager | jesler at ...589...
>
>
>
>
>
>
> On Nov 9, 2016, at 1:40 PM, fatema bannatwala <fatema.bannatwala at ...13704......>
> wrote:
>
> Well, the rules have same rev numbers, and the order is like this:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP Proxy
> client detected"; flow: to_server,established; content:"X-Forwarded-";
> http_header; reference:url,http:/           /www.forensicswiki.org/wiki/
> Proxy_server; classtype:policy-violation; sid:10001030; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Custom Likely
> Successful Generic Phish 2016-09-23"; flow:to_server,established;
> content:"POST"; http_method; content:".php"; http_uri; content:"netid=";
> depth:10; fast_pattern; http_client_body; content:"&pword="; distance:0;
> classtype:trojan-activity; sid:10001030; rev:1;)
>
> I only get alerts from the second one now, i.e phishing one, and haven't
> gotten any alert triggered for the first rule.
> Previously, when I had only the first rule, I used to get lot of alerts
> for people using proxy, but ever since the second alert got added I
> realized that the first rule stopped triggering anymore.
>
> On Wed, Nov 9, 2016 at 1:28 PM, Joel Esler (jesler) <jesler at ...589...>
> wrote:
>
>> You can have duplicate SIDS.  The rule with the highest rev will override
>> the lower rev rule, otherwise Snort will take the first rule it gets to,
>> and ignore the other one.
>>
>> It’s been this way for several years.
>>
>>
>> *--*
>> *Joel Esler *| *Talos:* Manager | jesler at ...589...
>>
>>
>>
>>
>>
>>
>> On Nov 9, 2016, at 1:19 PM, fatema bannatwala <
>> fatema.bannatwala at ...11827...> wrote:
>>
>> Hi All,
>>
>> Just realized that I have two rules in my local.rules file with same sid,
>> and snort works just fine!!
>> I always had in my head that sids should have to be unique, but today
>> when I was going through the local.rules file, I realized that someone from
>> our team had created a new rule and assigned it a same sid that a previous
>> rule had.
>> I couldn't catch it before because snort was running just fine without
>> any complains on duplicate sids.
>>
>> Have I missed this change in the current (or 2.9 version) of snort or is
>> it something else?
>>
>> Quick points: I have local.rules enabled in snort.conf and pulled pork is
>> not modifying anything regarding local rules so they should get loaded as
>> it is, and above all I am getting alerts for one of the rules having
>> duplicate sid, but no alerts for the other rule having same sid.
>>
>> Snort version - 2.9.8.3
>> barnyard version - 2-1.9
>> pulledpork - 0.7.0
>>
>> Thanks,
>> Fatema.
>> ------------------------------------------------------------
>> ------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today. http://sdm.link/xeonphi_______
>> ________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161109/385793d1/attachment.html>


More information about the Snort-users mailing list