[Snort-users] Unsubscribe ...

permalink · #1 (**permalink**) 11-26-2004

--Boundary-00=_zf0pBk9ufeGxRS4
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello,

I am sorry for asking the group how to unsubscribe, for some reason, the
attached email from the group did not have anything at the bottom AND I
happen to have picked this one when trying to find information on how to
unsubscribe ....

--
Lyndon Tiu

--Boundary-00=_zf0pBk9ufeGxRS4
Content-Type: message/rfc822;
name="forwarded message"
Content-Transfer-Encoding: 7bit
Content-Description: "Jacob, Raymond A Jr" <raymond.jacob@navy.mil>: [Snort-users] creating custom rule actions for each DMZ
Content-Disposition: inline

Return-Path: <snort-users-admin@lists.sourceforge.net>
Received: from kootenay.sfu.ca ([unix socket])
by alumni.sfu.ca (Cyrus v2.1.12) with LMTP; Thu, 25 Nov 2004 10:18:00 -0800
Received: from sc8-sf-spam1.sourceforge.net (sc8-sf-sshgate.sourceforge.net [66.35.250.220])
by kootenay.sfu.ca (8.12.9/8.12.9/SFU-ALUM-5.0H) with ESMTP id iAPIHuI2002642
for <ltiu@alumni.sfu.ca>; Thu, 25 Nov 2004 10:17:56 -0800 (PST)
Received: from sc8-sf-list1-b.sourceforge.net ([10.3.1.7] helo=projects.sourceforge.net)
by sc8-sf-spam1.sourceforge.net with esmtp (Exim 4.34)
id 1CWpjX-0006y4-99; Tue, 23 Nov 2004 21:30:28 -0800
Received: from sc8-sf-mx2-b.sourceforge.net ([10.3.1.12] helo=sc8-sf-mx2.sourceforge.net)
by sc8-sf-list1.sourceforge.net with esmtp (Exim 4.30)
id 1CX5hC-0003hc-6D
for snort-users@lists.sourceforge.net; Wed, 24 Nov 2004 14:33:06 -0800
Received: from gate2-norfolk.nmci.navy.mil ([138.162.0.41])
by sc8-sf-mx2.sourceforge.net with esmtp (Exim 4.41)
id 1CX5hA-0003Yj-1m
for snort-users@lists.sourceforge.net; Wed, 24 Nov 2004 14:33:05 -0800
Received: from naeanrfkms04.nmci.navy.mil by gate2-norfolk.nmci.navy.mil
via smtpd (for lists.sourceforge.net [66.35.250.206]) with ESMTP; Wed, 24 Nov 2004 22:33:21 +0000
Received: (private information removed)
Received: from no.name.available by naeanrfkfw01c.nmci.navy.mil
via smtpd (for insidesmtp2.nmci.navy.mil [10.16.0.170]) with ESMTP; Wed, 24 Nov 2004 22:33:17 +0000
Received: (private information removed)
Received: (private information removed)
Received: (private information removed)
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C4D275.62EBCEE9"
Message-ID: <653C8E7D21FB654997909E77C691053F4468D1@NAEAWNYDEX 21VA.nadsusea.nads.navy.mil>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: creating custom rule actions for each DMZ
Thread-Index: AcTSdWLCf5wsQ3gOTNugr7PxdD+RiQ==
From: "Jacob, Raymond A Jr" <raymond.jacob@navy.mil>
To: <snort-users@lists.sourceforge.net>
X-OriginalArrivalTime: 24 Nov 2004 22:31:49.0084 (UTC) FILETIME=[633809C0:01C4D275]
X-Spam-Score: -4.8 (----)
X-Spam-Report: Spam Filtering performed by sourceforge.net.
See http://spamassassin.org/tag/ for more details.
Report problems to http://sf.net/tracker/?func=add&group_id=1&atid=200001
0.1 HTML_MESSAGE BODY: HTML included in message
-4.9 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
Subject: [Snort-users] creating custom rule actions for each DMZ
Sender: snort-users-admin@lists.sourceforge.net
Errors-To: snort-users-admin@lists.sourceforge.net
X-BeenThere: snort-users@lists.sourceforge.net
X-Mailman-Version: 2.0.9-sf.net
Precedence: bulk
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request@lists.sourceforge.net?subject=unsubscribe>
List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>
List-Post: <mailto:snort-users@lists.sourceforge.net>
List-Help: <mailto:snort-users-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request@lists.sourceforge.net?subject=subscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=snort-users>
X-Original-Date: Wed, 24 Nov 2004 17:31:48 -0500
Date: Wed, 24 Nov 2004 17:31:48 -0500
X-Virus-Scanned: by antibody.sfu.ca running antivirus scanner
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on antibody3.sfu.ca
X-Spam-Level: Spam-Level

This is a multi-part message in MIME format.

------_=_NextPart_001_01C4D275.62EBCEE9
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject:

There is a sensor between an edge router the premisis distribution =
router. Traffic from say 3DMZ's plus the intranet is captured by
a snort ids.
We would like to separate the alerts based on DMZ Network address of the =
alert. I had thought I could collect all the
alerts in one database and create an acid.php script for each DMZ and =
create an acid database
for DMZ. While I would love the challenge, the mind is strong but the =
programming skills are weak.
An senior administrator suggested that I define a ruletype for each =
DMZ.
Questions:=20
1. Assuming I have 2000 rules, if I were to implement the following for =
3 DMZs
I would have a total of 8000 rules. Would this many rules affect a snort =
ids sensor's performance?
I realize that the answer to my question depends on how the rule lists =
are implemented.
If the rules were in a linearly linked list I know the performance would =
be affected.
In a Btree, where the more specific rule lists are tried first then the =
time
to access any rule should be constant and the performance should not be =
affected?

2. Is the syntax correct in my Example snort.conf and snort rules =
correct?

3. Is there a better way to create rules that send alerts to a =
particular database
based on the DMZ network address?

#Example excerpt of snort.conf
ruletype DMZ1_alert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=3Dsnort dbname=3Ddmz1 =
host=3Dlocalhost
}
ruletype DMZ2_alert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=3Dsnort dbname=3Ddmz3 =
host=3Dlocalhost
}
ruletype DMZ3_alert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=3Dsnort dbname=3Ddmz3 =
host=3Dlocalhost
}

var DMZ1_NET [192.168.1.0/24,10.1.1.0/24]

var DMZ1_NET [192.168.2.0/24,10.1.2.0/24]

var DMZ1_NET [192.168.3.0/24,10.1.3.0/24]

var RULE_PATH /snort/rules
var DMZ1 DMZ1_NET
var DMZ2 DMZ2_NET
var DMZ3 DMZ3_NET

include $RULE_PATH/exploit.rules
include $RULE_PATH/$DMZ1/exploit.rules
include $RULE_PATH/$DMZ2/exploit.rules
include $RULE_PATH/$DMZ3/exploit.rules
----------------------------
Example of a few Snort Rules.
/snort/rules/exploit.rules
alert tcp any any -> any any (msg:"Possible exploit"; content:"|90|"; =
\
offset:40; depth:75;)

/snort/rules/DMZ1_NET/exploit.rules
DMZ1_alert tcp any any -> $DMZ1_NET any (msg:"Possible exploit"; =
content:"|90|"; \
offset:40; depth:75;)

/snort/rules/DMZ2_NET/exploit.rules
DMZ2_alert tcp any any -> $DMZ2_NET any (msg:"Possible exploit"; =
content:"|90|"; \
offset:40; depth:75;)

/snort/rules/DMZ3_NET/exploit.rules
DMZ3_alert tcp any any -> $DMZ3_NET any (msg:"Possible exploit"; =
content:"|90|"; \
offset:40; depth:75;)

------_=_NextPart_001_01C4D275.62EBCEE9
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.6487.1">
<TITLE>creating custom rule actions for each DMZ</TITLE>
</HEAD>
<BODY>


There is a sensor  between an edge =
router the premisis distribution router. Traffic from say 3DMZ's plus =
the intranet is captured by

a snort ids.

 We would like to separate the alerts =
based on DMZ Network address of the alert. I had thought I could collect =
all the

 alerts in one database and create an =
acid.php script for each DMZ and create an acid database

 for DMZ. While I would love the =
challenge, the mind is strong but the programming skills are =
weak.

  An senior administrator =
suggested that I define a  ruletype for each DMZ.

 Questions: 

 1. Assuming I have 2000 rules, if I =
were to implement the following for 3 DMZs

 I would have a total of 8000 rules. =
Would this many rules affect a snort ids sensor's performance?

 I realize that the answer to my =
question depends on how the rule lists are implemented.

 If the rules were in a linearly linked =
list I know the performance would be affected.

 In a Btree, where the more specific =
rule lists are tried first then the time

 to access any rule should be constant =
and the performance should not be affected?


2. Is the syntax correct in my Example =
snort.conf and snort rules correct?


3. Is there a better way to create =
rules that send alerts to a particular database

 based on the DMZ network =
address?

 

#Example excerpt of snort.conf

 ruletype DMZ1_alert

 {

     type alert

     output =
alert_syslog: LOG_AUTH LOG_ALERT

     output database: =
log, mysql, user=3Dsnort dbname=3Ddmz1 host=3Dlocalhost

 }

 ruletype DMZ2_alert

 {

     type alert

     output =
alert_syslog: LOG_AUTH LOG_ALERT

     output database: =
log, mysql, user=3Dsnort dbname=3Ddmz3 host=3Dlocalhost

 }

 ruletype DMZ3_alert

 {

     type alert

     output =
alert_syslog: LOG_AUTH LOG_ALERT

     output database: =
log, mysql, user=3Dsnort dbname=3Ddmz3 host=3Dlocalhost

 }

 

var DMZ1_NET =
[192.168.1.0/24,10.1.1.0/24]


var DMZ1_NET =
[192.168.2.0/24,10.1.2.0/24]


var DMZ1_NET =
[192.168.3.0/24,10.1.3.0/24]


var RULE_PATH /snort/rules

 var DMZ1 DMZ1_NET

 var DMZ2 DMZ2_NET

 var DMZ3 DMZ3_NET


include $RULE_PATH/exploit.rules

 include =
$RULE_PATH/$DMZ1/exploit.rules

 include =
$RULE_PATH/$DMZ2/exploit.rules

 include =
$RULE_PATH/$DMZ3/exploit.rules

 ----------------------------

 Example of a few Snort Rules.

 /snort/rules/exploit.rules

 alert tcp any any -> any any =
(msg:"Possible  exploit"; content:"|90|";  =
\

 offset:40; depth:75;)


/snort/rules/DMZ1_NET/exploit.rules

 DMZ1_alert tcp any any -> $DMZ1_NET =
any (msg:"Possible  exploit"; =
content:"|90|";  \

 offset:40; depth:75;)


/snort/rules/DMZ2_NET/exploit.rules

 DMZ2_alert tcp any any -> $DMZ2_NET =
any (msg:"Possible  exploit"; =
content:"|90|";  \

 offset:40; depth:75;)


/snort/rules/DMZ3_NET/exploit.rules

 DMZ3_alert tcp any any -> $DMZ3_NET =
any (msg:"Possible  exploit"; =
content:"|90|";  \

 offset:40; depth:75;)


</BODY>
</HTML>
------_=_NextPart_001_01C4D275.62EBCEE9--

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

--Boundary-00=_zf0pBk9ufeGxRS4--

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode