RE: [Snort-users] snort rule firing order
This is a discussion on RE: [Snort-users] snort rule firing order within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------_=_NextPart_001_01C5B870.AA7517AF Content-Type: text/plain; charset="us-ascii&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-13-2005
|
|||
|
|||
RE: [Snort-users] snort rule firing order
This is a multi-part message in MIME format.
------_=_NextPart_001_01C5B870.AA7517AF Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable You could tell oinkmaster to comment out the old rule with this: =20 disablesid <sid_number> =20 Or you could tell oinkmaster to modify the sid and replace it with your content: =20 modifysid <sid_number> "alert ip any any -> any any \(msg:\"BAD-TRAFFIC IP Proto 103 PIM" | "alert ip any any -> !224.0.0.13 any \(msg:\"BAD-TRAFFIC IP Proto 103 PIM" =20 =20 You might need a slash in front of the exclamation point as well. ________________________________ From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Kretzer, Jason R (Big Sandy) Sent: Tuesday, September 13, 2005 9:32 AM To: snort-users@lists.sourceforge.net Subject: [Snort-users] snort rule firing order Hello all, =20 I have a custom rule that I would like to fire instead of a pre-built rule. Here is my rule =20 jason@bgswebtest:~$ cat /etc/snort/rules/jason.rules alert ip any any -> !224.0.0.13 any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:1002189; rev:1;) It is exactly the same as rule 2189 in /etc/snort/rules/bad-traffic.rules EXCEPT the destination IP, sid, and rev. =20 I thought my rule would take precedence because it is more "specific" than the given rule. I would comment it out but oinkmaster which I use to update my rules automatically just replaces it. =20 Is there something I am doing wrong? =20 -Jason =20 =20 ------_=_NextPart_001_01C5B870.AA7517AF Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2900.2722" name=3DGENERATOR></HEAD> <BODY> <DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff size=3D2> <DIV dir=3Dltr align=3Dleft><SPAN class=3D832163514-13092005><FONT = face=3DArial=20 color=3D#0000ff size=3D2>You could tell oinkmaster to comment out the = old rule with=20 this:</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D832163514-13092005><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D832163514-13092005><FONT = face=3DArial=20 color=3D#0000ff size=3D2>disablesid = <sid_number></FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D832163514-13092005><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D832163514-13092005><FONT = face=3DArial=20 color=3D#0000ff size=3D2>Or you could tell oinkmaster to modify the sid = and replace=20 it with your content:</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D832163514-13092005><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D832163514-13092005><FONT = face=3DArial=20 color=3D#0000ff size=3D2>modifysid <sid_number> "alert ip any any = -> any=20 any \(msg:\"BAD-TRAFFIC IP Proto 103 PIM" | "alert ip any any -> = !224.0.0.13=20 any \(msg:\"BAD-TRAFFIC IP Proto 103 PIM"</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D832163514-13092005><FONT = face=3DArial=20 color=3D#0000ff size=3D2><FONT = color=3D#000000></FONT></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D832163514-13092005><FONT = face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D832163514-13092005><FONT = face=3DArial=20 size=3D2>You might need a slash in front of the exclamation point as=20 well.</FONT></SPAN></DIV></FONT></DIV><BR> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> = snort-users-admin@lists.sourceforge.net=20 [mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of = </B>Kretzer,=20 Jason R (Big Sandy)<BR><B>Sent:</B> Tuesday, September 13, 2005 9:32=20 AM<BR><B>To:</B> snort-users@lists.sourceforge.net<BR><B>Subject:</B>=20 [Snort-users] snort rule firing order<BR></FONT><BR></DIV> <DIV></DIV> <DIV><SPAN class=3D600122514-13092005><FONT face=3DArial size=3D2>Hello=20 all,</FONT></SPAN></DIV> <DIV><SPAN class=3D600122514-13092005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D600122514-13092005><FONT face=3DArial size=3D2>I have = a custom rule=20 that I would like to fire instead of a pre-built rule. Here is my=20 rule</FONT></SPAN></DIV> <DIV><SPAN class=3D600122514-13092005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D600122514-13092005><FONT face=3DArial size=3D2><A=20 href=3D"mailto:jason@bgswebtest:~$">jason@bgswebte st:~$</A> cat=20 /etc/snort/rules/jason.rules<BR>alert ip any any -> !224.0.0.13 any=20 (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; = reference:bugtraq,8211;=20 reference:cve,2003-0567; classtype:non-standard-protocol; sid:1002189;=20 rev:1;)<BR></FONT></SPAN></DIV> <DIV><SPAN class=3D600122514-13092005><FONT face=3DArial size=3D2>It is = exactly the=20 same as rule 2189 in /etc/snort/rules/bad-traffic.rules EXCEPT the = destination=20 IP, sid, and rev.</FONT></SPAN></DIV> <DIV><SPAN class=3D600122514-13092005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D600122514-13092005><FONT face=3DArial size=3D2>I = thought my rule=20 would take precedence because it is more "specific" than the given = rule. I=20 would comment it out but oinkmaster which I use to update my rules = automatically=20 just replaces it.</FONT></SPAN></DIV> <DIV><SPAN class=3D600122514-13092005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D600122514-13092005><FONT face=3DArial size=3D2>Is = there something I=20 am doing wrong?</FONT></SPAN></DIV> <DIV><SPAN class=3D600122514-13092005><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D600122514-13092005><FONT face=3DArial=20 size=3D2>-Jason</FONT></SPAN></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML> ------_=_NextPart_001_01C5B870.AA7517AF-- ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 05:44 AM.
