Snort mailing list archives

Problems with the ordering inside the rules

From: "Sergio Talens-Oliag" <stalens () infocentre gva es>
Date: Tue, 28 Oct 2003 11:21:25 +0100

  Hello everybody,

  I don't know if this problem has been reported before or if there's
  something we're doing wrong, so I'll ask here to see if someone can
  help us understand what is happening.

  We have snort running on a couple of sensors configured to work from a
  snortcenter console, the sensors are started using the '-o' option so
  rules get evaluated in 'pass -> alert -> log' order. 
  
  When an active rule throws a lot of alerts because it is detecting
  some legitimate traffic as an attack (and we know that in other cases
  it is) we copy the affected alert rule and turn it into a pass rule,
  changing the variable(s) to ignore only the valid cases.

  Everything has worked fine until last week when we modified twice a
  'pass' rule on the snorcenter's console and now it generates the
  resulting rule changing the order of the 'content' fields. Now, the
  pass rule is ignored and we are again reciving the alerts from the
  original rule. 
  
  The affected rule is:

    pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow 
attempt"; flow: to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10; classtype: 
attempted-admin;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg: "POP3 TOP overflow attempt"; flow: 
to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;)
  
  We've changed the order on the sensor's rules file as follows and everything
  works as expected:

    pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow 
attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: 
attempted-admin;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg: "POP3 TOP overflow attempt"; flow: 
to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;)

  So, our question is:
  
    Is there a strict ordering needed in the content attributes or not?
 
  If it is, there is a bug in snortcenter; if it is not, there is a bug
  in snort.

  Thanks in advance,

    Sergio.
  
-- 
Sergio Talens-Oliag <stalens () infocentre gva es>             Info Centre
Key fingerprint = 29DF 544F  1BD9 548C  8F15 86EF  6770 052B  B8C1 FA69


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Problems with the ordering inside the rules Sergio Talens-Oliag (Oct 28)
- Re: Problems with the ordering inside the rules Brian (Nov 06)
- <Possible follow-ups>
- RE: Problems with the ordering inside the rules Adams, Samuel (contractor) (Nov 06)
  - Re: Problems with the ordering inside the rules Sergio Talens-Oliag (Nov 07)