[Snort-users] resoved//Re:new//Re:help: how to use binder to give different flow with different ips-rules ?

sofardware sofardware at 126.com
Wed Mar 13 06:00:24 EDT 2019


I am sorry. I used the same sid in the different rules. 






在 2019-03-13 16:34:29,"sofardware" <sofardware at 126.com> 写道:

The snort can not do like  what I want. Who can tell me that, is there something wrong in the using of binder or snort can only do like this???
I want pakets with  net 15.5.5.0/24 to hit the rule in ips1.lua, while pakets with  net 15.5.5.0/24 to hit the rule in ips.lua.
I have tried the binder with the fllow files(snort.lua,ips1.lua,ips.lua):
The result is that, the pakets with  net 15.5.5.0/24 and  pakets with net 11.1.3.0/24  are both  hit the ips.lua.
when I take the second binder policy to the first,the pakets with  net 15.5.5.0/24 and  pakets with net 11.1.3.0/24  are both  hit the ips1.lua.
So, the real binding is with the last policy, rather than with the condition in "when={}"
Why???






--------------------------------------------------------
snort.lua:
dofile(dir .. '/snort_defaults.lua')
stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }
network={decode_drops=true}
binder =
{
    { when = { nets = "15.5.5.0/24" }, use = { ips_policy = "ips1.lua" } },
    { when = { nets = "11.1.3.0/24" }, use = { ips_policy = "ips.lua" } },

}
----------------------------------------------
ips1.lua
dofile(dir .. '/snort_defaults.lua')
ips =
{
    --rules = "alert udp any any -> any 5060 ( sid:1000001; sip_method:invite1 )",
    --enable_builtin_rules = true
    rules =
[[
alert udp ( msg:"File_Data_Matched:ips1###############################udp#############################~\n"; sid:11116; )
]]
}
--------------------------------------------
ips.rule
dofile(dir .. '/snort_defaults.lua')
ips =
{
    --rules = "alert udp any any -> any 5060 ( sid:1000001; sip_method:invite1 )",
    --enable_builtin_rules = true
    rules =
[[
alert udp ( msg:"File_Data_Matched:ips~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~udp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; sid:11116; )
]]
}
~  
















At 2019-03-13 15:22:40, "sofardware" <sofardware at 126.com> wrote:

      Hi all,
           For example,what I want to :
           when source net = 1.1.1.1/16 ,use ips rule files:snort3-browser-ie.rules,snort3-browser-firefox.rules
           when source net = 1.1.1.1/16 ,use ips rule files:snort3-indicator-shellcode.rules,snort3-malware-backdoor.rules

          How can use the flow binder :
          string binder[].use.ips_policy: use ips policy from given file   //what should be filled in the given file ? The snort3 manual does not say what is ips_policy
          ips =
         {

           include = 'snort3-browser-ie.rules'
         } // Is this a ips_policy ??? ,if yes, what is the different to realize the above thing with binder[].use.ips_policy and binder[].use.file ???

                           
         other help needed:
         how can the follow binders be used? There is no detail help info or example in  --help or manual
         string binder[].use.inspection_policy: use inspection policy from given file
         string binder[].use.network_policy: use network policy from given file

         int binder[].when.ips_policy_id = 0: unique ID for selection of this config by external logic { 0: }





 





 





 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190313/a5da6f3c/attachment.html>


More information about the Snort-users mailing list