[Snort-users] creating custom rule actions for each DMZ

permalink · #1 (**permalink**) 11-24-2004

This is a multi-part message in MIME format.

------_=_NextPart_001_01C4D275.62EBCEE9
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

There is a sensor between an edge router the premisis distribution =
router. Traffic from say 3DMZ's plus the intranet is captured by
a snort ids.
We would like to separate the alerts based on DMZ Network address of the =
alert. I had thought I could collect all the
alerts in one database and create an acid.php script for each DMZ and =
create an acid database
for DMZ. While I would love the challenge, the mind is strong but the =
programming skills are weak.
An senior administrator suggested that I define a ruletype for each =
DMZ.
Questions:=20
1. Assuming I have 2000 rules, if I were to implement the following for =
3 DMZs
I would have a total of 8000 rules. Would this many rules affect a snort =
ids sensor's performance?
I realize that the answer to my question depends on how the rule lists =
are implemented.
If the rules were in a linearly linked list I know the performance would =
be affected.
In a Btree, where the more specific rule lists are tried first then the =
time
to access any rule should be constant and the performance should not be =
affected?

2. Is the syntax correct in my Example snort.conf and snort rules =
correct?

3. Is there a better way to create rules that send alerts to a =
particular database
based on the DMZ network address?

#Example excerpt of snort.conf
ruletype DMZ1_alert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=3Dsnort dbname=3Ddmz1 =
host=3Dlocalhost
}
ruletype DMZ2_alert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=3Dsnort dbname=3Ddmz3 =
host=3Dlocalhost
}
ruletype DMZ3_alert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=3Dsnort dbname=3Ddmz3 =
host=3Dlocalhost
}

var DMZ1_NET [192.168.1.0/24,10.1.1.0/24]

var DMZ1_NET [192.168.2.0/24,10.1.2.0/24]

var DMZ1_NET [192.168.3.0/24,10.1.3.0/24]

var RULE_PATH /snort/rules
var DMZ1 DMZ1_NET
var DMZ2 DMZ2_NET
var DMZ3 DMZ3_NET

include $RULE_PATH/exploit.rules
include $RULE_PATH/$DMZ1/exploit.rules
include $RULE_PATH/$DMZ2/exploit.rules
include $RULE_PATH/$DMZ3/exploit.rules
----------------------------
Example of a few Snort Rules.
/snort/rules/exploit.rules
alert tcp any any -> any any (msg:"Possible exploit"; content:"|90|"; =
\
offset:40; depth:75;)

/snort/rules/DMZ1_NET/exploit.rules
DMZ1_alert tcp any any -> $DMZ1_NET any (msg:"Possible exploit"; =
content:"|90|"; \
offset:40; depth:75;)

/snort/rules/DMZ2_NET/exploit.rules
DMZ2_alert tcp any any -> $DMZ2_NET any (msg:"Possible exploit"; =
content:"|90|"; \
offset:40; depth:75;)

/snort/rules/DMZ3_NET/exploit.rules
DMZ3_alert tcp any any -> $DMZ3_NET any (msg:"Possible exploit"; =
content:"|90|"; \
offset:40; depth:75;)

------_=_NextPart_001_01C4D275.62EBCEE9
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.6487.1">
<TITLE>creating custom rule actions for each DMZ</TITLE>
</HEAD>
<BODY>


There is a sensor  between an edge =
router the premisis distribution router. Traffic from say 3DMZ's plus =
the intranet is captured by

a snort ids.

 We would like to separate the alerts =
based on DMZ Network address of the alert. I had thought I could collect =
all the

 alerts in one database and create an =
acid.php script for each DMZ and create an acid database

 for DMZ. While I would love the =
challenge, the mind is strong but the programming skills are =
weak.

  An senior administrator =
suggested that I define a  ruletype for each DMZ.

 Questions: 

 1. Assuming I have 2000 rules, if I =
were to implement the following for 3 DMZs

 I would have a total of 8000 rules. =
Would this many rules affect a snort ids sensor's performance?

 I realize that the answer to my =
question depends on how the rule lists are implemented.

 If the rules were in a linearly linked =
list I know the performance would be affected.

 In a Btree, where the more specific =
rule lists are tried first then the time

 to access any rule should be constant =
and the performance should not be affected?


2. Is the syntax correct in my Example =
snort.conf and snort rules correct?


3. Is there a better way to create =
rules that send alerts to a particular database

 based on the DMZ network =
address?

 

#Example excerpt of snort.conf

 ruletype DMZ1_alert

 {

     type alert

     output =
alert_syslog: LOG_AUTH LOG_ALERT

     output database: =
log, mysql, user=3Dsnort dbname=3Ddmz1 host=3Dlocalhost

 }

 ruletype DMZ2_alert

 {

     type alert

     output =
alert_syslog: LOG_AUTH LOG_ALERT

     output database: =
log, mysql, user=3Dsnort dbname=3Ddmz3 host=3Dlocalhost

 }

 ruletype DMZ3_alert

 {

     type alert

     output =
alert_syslog: LOG_AUTH LOG_ALERT

     output database: =
log, mysql, user=3Dsnort dbname=3Ddmz3 host=3Dlocalhost

 }

 

var DMZ1_NET =
[192.168.1.0/24,10.1.1.0/24]


var DMZ1_NET =
[192.168.2.0/24,10.1.2.0/24]


var DMZ1_NET =
[192.168.3.0/24,10.1.3.0/24]


var RULE_PATH /snort/rules

 var DMZ1 DMZ1_NET

 var DMZ2 DMZ2_NET

 var DMZ3 DMZ3_NET


include $RULE_PATH/exploit.rules

 include =
$RULE_PATH/$DMZ1/exploit.rules

 include =
$RULE_PATH/$DMZ2/exploit.rules

 include =
$RULE_PATH/$DMZ3/exploit.rules

 ----------------------------

 Example of a few Snort Rules.

 /snort/rules/exploit.rules

 alert tcp any any -> any any =
(msg:"Possible  exploit"; content:"|90|";  =
\

 offset:40; depth:75;)


/snort/rules/DMZ1_NET/exploit.rules

 DMZ1_alert tcp any any -> $DMZ1_NET =
any (msg:"Possible  exploit"; =
content:"|90|";  \

 offset:40; depth:75;)


/snort/rules/DMZ2_NET/exploit.rules

 DMZ2_alert tcp any any -> $DMZ2_NET =
any (msg:"Possible  exploit"; =
content:"|90|";  \

 offset:40; depth:75;)


/snort/rules/DMZ3_NET/exploit.rules

 DMZ3_alert tcp any any -> $DMZ3_NET =
any (msg:"Possible  exploit"; =
content:"|90|";  \

 offset:40; depth:75;)


</BODY>
</HTML>
------_=_NextPart_001_01C4D275.62EBCEE9--

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode