[Snort-users] Local rules with same sids and snort works!

fatema bannatwala fatema.bannatwala at ...11827...
Wed Nov 9 14:08:19 EST 2016


Thanks for the explanation!
That makes sense. :)



On Wed, Nov 9, 2016 at 1:59 PM, Joel Esler (jesler) <jesler at ...589...>
wrote:

> I apologize, I believe I misspoke in saying it takes the “first SID” it
> encounters with the same rev.  It’s obviously taking the *last* one it
> read.  That’s my fault.
>
> *--*
> *Joel Esler *| *Talos:* Manager | jesler at ...589...
>
>
>
>
>
>
> On Nov 9, 2016, at 1:58 PM, fatema bannatwala <fatema.bannatwala at ...13704......>
> wrote:
>
> First and second in my local.rules file.
> I thought the snort would read the local.rules file sequentially and hence
> would encounter the rules sequentially while start up, hence was referring
> "first"as first in local.rules.
>
> ~]$ less local.rules
> # ------------
> # LOCAL RULES
> # ------------
> # This file intentionally does not come with signatures.  Put your local
> # additions here.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP Proxy
> client detected"; flow: to_server,established; content:"X-Forwarded-";
> http_header; reference:url,http://www.forensicswiki.org/wiki/Proxy_server;
> classtype:policy-violation; sid:10001030; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"UDel Likely
> Successful Generic Phish 2016-09-23"; flow:to_server,established;
> content:"POST"; http_method; content:".php"; http_uri; content:"netid=";
> depth:10; fast_pattern; http_client_body; content:"&pword="; distance:0;
> classtype:trojan-activity; sid:10001030; rev:1;)
>
>
> On Wed, Nov 9, 2016 at 1:52 PM, Joel Esler (jesler) <jesler at ...589...>
> wrote:
>
>> You mean, “first” and “second” in the email?  Or first and second, *as
>> Snort encounters them in order on startup*?
>>
>> *--*
>> *Joel Esler *| *Talos:* Manager | jesler at ...589...
>>
>>
>>
>>
>>
>>
>> On Nov 9, 2016, at 1:40 PM, fatema bannatwala <
>> fatema.bannatwala at ...11827...> wrote:
>>
>> Well, the rules have same rev numbers, and the order is like this:
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP Proxy
>> client detected"; flow: to_server,established; content:"X-Forwarded-";
>> http_header; reference:url,http:/           /
>> www.forensicswiki.org/wiki/Proxy_server; classtype:policy-violation;
>> sid:10001030; rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Custom Likely
>> Successful Generic Phish 2016-09-23"; flow:to_server,established;
>> content:"POST"; http_method; content:".php"; http_uri; content:"netid=";
>> depth:10; fast_pattern; http_client_body; content:"&pword="; distance:0;
>> classtype:trojan-activity; sid:10001030; rev:1;)
>>
>> I only get alerts from the second one now, i.e phishing one, and haven't
>> gotten any alert triggered for the first rule.
>> Previously, when I had only the first rule, I used to get lot of alerts
>> for people using proxy, but ever since the second alert got added I
>> realized that the first rule stopped triggering anymore.
>>
>> On Wed, Nov 9, 2016 at 1:28 PM, Joel Esler (jesler) <jesler at ...589...>
>> wrote:
>>
>>> You can have duplicate SIDS.  The rule with the highest rev will
>>> override the lower rev rule, otherwise Snort will take the first rule it
>>> gets to, and ignore the other one.
>>>
>>> It’s been this way for several years.
>>>
>>>
>>> *--*
>>> *Joel Esler *| *Talos:* Manager | jesler at ...589...
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Nov 9, 2016, at 1:19 PM, fatema bannatwala <
>>> fatema.bannatwala at ...11827...> wrote:
>>>
>>> Hi All,
>>>
>>> Just realized that I have two rules in my local.rules file with same
>>> sid, and snort works just fine!!
>>> I always had in my head that sids should have to be unique, but today
>>> when I was going through the local.rules file, I realized that someone from
>>> our team had created a new rule and assigned it a same sid that a previous
>>> rule had.
>>> I couldn't catch it before because snort was running just fine without
>>> any complains on duplicate sids.
>>>
>>> Have I missed this change in the current (or 2.9 version) of snort or is
>>> it something else?
>>>
>>> Quick points: I have local.rules enabled in snort.conf and pulled pork
>>> is not modifying anything regarding local rules so they should get loaded
>>> as it is, and above all I am getting alerts for one of the rules having
>>> duplicate sid, but no alerts for the other rule having same sid.
>>>
>>> Snort version - 2.9.8.3
>>> barnyard version - 2-1.9
>>> pulledpork - 0.7.0
>>>
>>> Thanks,
>>> Fatema.
>>> ------------------------------------------------------------
>>> ------------------
>>> Developer Access Program for Intel Xeon Phi Processors
>>> Access to Intel Xeon Phi processor-based developer platforms.
>>> With one year of Intel Parallel Studio XE.
>>> Training and support from Colfax.
>>> Order your platform today. http://sdm.link/xeonphi_______
>>> ________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161109/76a276a5/attachment.html>


More information about the Snort-users mailing list