[Snort-users] new//Re:help: how to use binder to give different flow with different ips-rules ?

sean murphy seanmurphy1661 at gmail.com
Wed Mar 13 10:46:18 EDT 2019


Pardon the interruption, but can someone reply with the method for
unsubscribing?

I have tried both of theses options:

*Snort-users mailing list*
*Snort-users at lists.snort.org* <Snort-users at lists.snort.org>
*Go to this URL to change user options or unsubscribe:*
*https://lists.snort.org/mailman/listinfo/snort-users*
<https://lists.snort.org/mailman/listinfo/snort-users>

*        To unsubscribe, send an email to:*
*        snort-users-leave at lists.snort.org
<snort-users-leave at lists.snort.org>*


I receive a "bounce" message and still getting the messages from the forum.


-Sean




On Wed, Mar 13, 2019 at 9:41 AM Carter Waxman (cwaxman) via Snort-users <
snort-users at lists.snort.org> wrote:

> Also to follow up on your previous question, the example you showed is the
> correct usage of binder for policy selection.
>
>
>
> *From: *"Carter Waxman (cwaxman)" <cwaxman at cisco.com>
> *Date: *Wednesday, March 13, 2019 at 9:12 AM
> *To: *sofardware <sofardware at 126.com>
> *Cc: *"snort-users at lists.snort.org" <snort-users at lists.snort.org>
> *Subject: *Re: [Snort-users] new//Re:help: how to use binder to give
> different flow with different ips-rules ?
>
>
>
> What happens if you flip the binding order? Do you have a pcap? The
> expected behavior is to loop through all bindings but choose the first of
> each matching policy type, so if an ips policy is selected, use =
> ips_policy should be ignored later in the binding list. This allows ips,
> network and inspection policies to be selected on different criteria.
>
>
>
>    - Carter
>
>
>
> *From: *Snort-users <snort-users-bounces at lists.snort.org> on behalf of
> sofardware via Snort-users <snort-users at lists.snort.org>
> *Reply-To: *sofardware <sofardware at 126.com>
> *Date: *Wednesday, March 13, 2019 at 4:39 AM
> *To: *sofardware <sofardware at 126.com>
> *Cc: *"snort-users at lists.snort.org" <snort-users at lists.snort.org>
> *Subject: *[Snort-users] new//Re:help: how to use binder to give
> different flow with different ips-rules ?
>
>
>
> The snort can not do like  what I want. Who can tell me that, is there
> something wrong in the using of binder or snort can only do like this???
>
> I want pakets with  net 15.5.5.0/24 to hit the rule in ips1.lua,
> while pakets with  net 15.5.5.0/24 to hit the rule in ips.lua.
>
> I have tried the binder with the fllow files(snort.lua,ips1.lua,ips.lua):
>
> The result is that, the pakets with  net 15.5.5.0/24 and  pakets with net
> 11.1.3.0/24  are both  hit the ips.lua.
>
> when I take the second binder policy to the first,the pakets with  net
> 15.5.5.0/24 and  pakets with net 11.1.3.0/24  are both  hit the ips1.lua.
>
> So, the real binding is with the last policy, rather than with the
> condition in "when={}"
>
> Why???
>
>
>
>
>
>
>
> --------------------------------------------------------
>
> snort.lua:
>
> dofile(dir .. '/snort_defaults.lua')
>
> stream = { }
> stream_ip = { }
> stream_icmp = { }
> stream_tcp = { }
> stream_udp = { }
> network={decode_drops=true}
>
> binder =
> {
>     { when = { nets = "15.5.5.0/24" }, use = { ips_policy = "ips1.lua" }
> },
>     { when = { nets = "11.1.3.0/24" }, use = { ips_policy = "ips.lua" } },
>
> }
> ----------------------------------------------
>
> ips1.lua
>
> dofile(dir .. '/snort_defaults.lua')
>
> ips =
> {
>     --rules = "alert udp any any -> any 5060 ( sid:1000001;
> sip_method:invite1 )",
>     --enable_builtin_rules = true
>     rules =
> [[
> alert udp (
> msg:"File_Data_Matched:ips1###############################udp#############################~\n";
> sid:11116; )
> ]]
> }
>
> --------------------------------------------
>
> ips.rule
>
> dofile(dir .. '/snort_defaults.lua')
>
> ips =
> {
>     --rules = "alert udp any any -> any 5060 ( sid:1000001;
> sip_method:invite1 )",
>     --enable_builtin_rules = true
>     rules =
> [[
> alert udp (
> msg:"File_Data_Matched:ips~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~udp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
> sid:11116; )
> ]]
> }
> ~
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> At 2019-03-13 15:22:40, "sofardware" <sofardware at 126.com> wrote:
>
>
>       Hi all,
>
>            For example,what I want to :
>
>            when source net = 1.1.1.1/16 ,use ips rule files:
> snort3-browser-ie.rules,snort3-browser-firefox.rules
>
>            when source net = 1.1.1.1/16 ,use ips rule files:
> snort3-indicator-shellcode.rules,snort3-malware-backdoor.rules
>
>           How can use the flow binder :
>
>           string binder[].use.ips_policy: use ips policy from given file
> //what should be filled in the given file ? The snort3 manual does not say
> what is ips_policy
>
>           ips =
>          {
>
>            include = 'snort3-browser-ie.rules'
>          } // Is this a ips_policy ??? ,if yes, what is the different to
> realize the above thing with binder[].use.ips_policy and binder[].use.file
> ???
>
>
>
>          other help needed:
>
>          how can the follow binders be used? There is no detail help info
> or example in  --help or manual
>
>          string binder[].use.inspection_policy: use inspection policy from
> given file
>
>          string binder[].use.network_policy: use network policy from given
> file
>
>          int binder[].when.ips_policy_id = 0: unique ID for selection of
> this config by external logic { 0: }
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>         To unsubscribe, send an email to:
>         snort-users-leave at lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190313/6178b805/attachment.html>


More information about the Snort-users mailing list