Intrusion Detection Systems mailing list archives

Re: Problem in snort 1.3

From: lance () ksni net (Lance Spitzner)
Date: Sun, 24 Oct 1999 21:58:33 -0500 (CDT)



On Sun, 24 Oct 1999, Fabio Pietrosanti wrote:

Hi, i think there's a problem in  the new NISD called snort,
It read, and apply rules in order but if one match, other
are not considered. Look at this example...
i put this two rules in order in my ruleset-file


Fabio, not a bug, but standard procedure.  Most alerting/firewalling
software operates like this.  For example, FW-1 and Cisco ACLs 
both filter and log based on the same principle.  If an event 
generates an alert, that event is then dropped and no longer
compared to any other rules.  The last thing you want is multimple 
emails of the same event.


alert tcp 127.0.0.1/32 any -> 192.168.1.0/24 any (msg:"Attempt to Connect
via Fake Localhost;)
alert tcp any any -> 192.168.1.0/24 any (flags: A; ack: 0; msg:"NMAP TCP
ping";)

I send two packets (tcpdump it's yet the best) :
13:01:36.428180 127.0.0.1.2525 > 192.168.1.1.23: . ack 0 win 512
13:01:47.152670 10.1.1.1.4762 > 192.168.1.1.23: . ack 0 win 512

now, see what's appened:
1) for the first packet, i SHOULD get two alert,
- a forged packet with src 127.0.0.1  (Attempt to Connect via Fake
Localhost)
- the advice of an nmap tcp ping.     (NMAP TCP ping!)
but i receive in my log only one !
Oct 24 13:01:36 NaiF syslog: Attempt to Connect via Fake Localhost:
127.0.0.1:2525 -> 192.168.1.1:23
and where's the signature of ack seq = 0 ?

2) next packet, should give me only one alert, and it' so
Oct 24 13:01:47 NaiF syslog: NMAP TCP ping!: 10.1.1.1:4762 ->
192.168.1.1:23

I can't check where's the code problem, cause i'm not yet an experience C
programmer :(
Sorry for my bad english..


Fabio Pietrosanti                                     
E-mail: pa2347 () panservice it
Irc: > Irc: NaiF@ircnet

Windows 95:  A 32-bit patch for a 16-bit GUI shell running on top of an
             8-bit operating system written for a 4-bit processor by a
             2-bit company who cannot stand 1 bit of competition.
        
                            Save the World...Use Linux .


Lance Spitzner
http://www.enteract.com/~lspitz/papers.html

Current thread:

reading signatures? matthew.fearnow () mcp com (Oct 22)
- Re: reading signatures? Trevor Schroeder (Oct 22)
- Problem in snort 1.3 Fabio Pietrosanti (Oct 24)
  - Re: Problem in snort 1.3 H D Moore (Oct 24)
  - Re: Problem in snort 1.3 Lance Spitzner (Oct 24)
    - Re: Problem in snort 1.3 Ron Gula (Oct 25)
  - Re: Problem in snort 1.3 Martin Roesch (Oct 25)
  - Traffic Lister, Justin (Oct 25)
  - Comparison of several IDS Lister, Justin (Oct 25)
- Re: reading signatures? H D Moore (Oct 24)
- <Possible follow-ups>
- RE: reading signatures? matthew.fearnow () mcp com (Oct 22)
  - RE: reading signatures? Kim Robert Blix (Oct 25)
- Re: reading signatures? Robert Graham (Oct 22)
- RE: reading signatures? Alex.Senkevitch () midata com (Oct 27)
  - RE: reading signatures? Ron Gula (Oct 27)