Re: Problem in snort 1.3

[secureaustin () consultant com (H D Moore)]

I don't think this is really a problem, but more of an effect of the
implementation snort uses for matching packets against the rules.  It
would be trivial to change its behavior to try to match the rest of the
rules after it matches the first, but that is something you should
suggest to the author, not the IDS list.  A workaround for this is to
place your most important rules at the top, and your less urgent ones at
the bottom...

HD Moore

http://nlog.ings.com            (Like Nmap?  Try Nlog!)

> Hi, i think there's a problem in  the new NISD called snort,
> It read, and apply rules in order but if one match, other
> are not considered. Look at this example...
> i put this two rules in order in my ruleset-file
>
> alert tcp 127.0.0.1/32 any -> 192.168.1.0/24 any (msg:"Attempt to Connect
> via Fake Localhost;)
> alert tcp any any -> 192.168.1.0/24 any (flags: A; ack: 0; msg:"NMAP TCP
> ping";)
>
> I send two packets (tcpdump it's yet the best) :
> 13:01:36.428180 127.0.0.1.2525 > 192.168.1.1.23: . ack 0 win 512
> 13:01:47.152670 10.1.1.1.4762 > 192.168.1.1.23: . ack 0 win 512
>
> now, see what's appened:
> 1) for the first packet, i SHOULD get two alert,
> - a forged packet with src 127.0.0.1  (Attempt to Connect via Fake
> Localhost)
> - the advice of an nmap tcp ping.     (NMAP TCP ping!)
> but i receive in my log only one !
> Oct 24 13:01:36 NaiF syslog: Attempt to Connect via Fake Localhost:
> 127.0.0.1:2525 -> 192.168.1.1:23
> and where's the signature of ack seq = 0 ?
>
> 2) next packet, should give me only one alert, and it' so
> Oct 24 13:01:47 NaiF syslog: NMAP TCP ping!: 10.1.1.1:4762 ->
> 192.168.1.1:23