İLT: Question - snort v2.9.6.0 rules

[Eray Balkanli <Eray.Balkanli () Dal Ca>]

Hi,


Are there any news related to this issue?


Best regards,

Eray

________________________________
Gönderen: Eray Balkanli
Gönderildi: 07 Mart 2014 Cuma 10:41
Kime: Eray Balkanlı; Joel Esler (jesler)
Bilgi: snort-devel () lists sourceforge net
Konu: YNT: [Snort-devel] Question - snort v2.9.6.0 rules


Hi,


I have just noticed that this e-mail could not be received by snort-devel@lists since I used hotmail instead dal.ca 
while sending it. I also kindly request snort-devel team, besides Mr. Esler, to read my question in my previous e-mail 
and share their ideas with me.


As summary, my question was why some rules (example below) were deleted in years. What is the exact reference you are 
following while deciding to delete/exchange a rule?


Example:

# $Id: icmp.rules,v 1.27 2005/02/10 01:11:04 bmc Exp $

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; 
reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; 
reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; 
sid:477; rev:2;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; 
itype:3; classtype:misc-activity; sid:485; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is 
Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is 
Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; 
classtype:bad-unknown; sid:499; rev:4;)

These rules are NOT observed in "protocol-icmp.rules" from snort-rules 2.9.6.0. (why?)

"
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.

"
I will be grateful if you reply to me.

Best regards,
Eray
​


________________________________
Gönderen: Eray Balkanlı <eraybalkanli () hotmail com>
Gönderildi: 06 Mart 2014 Perşembe 13:34
Kime: Joel Esler (jesler); Eray Balkanli
Bilgi: snort-devel () lists sourceforge net
Konu: RE: [Snort-devel] Question - snort v2.9.6.0 rules

Hi,

First of all, thank you very much for your interest and answer!

On behalf of being more clear, let me explain my question deeper.

Now, I am both using the ruleset from v2.9.1 and v2.9.6.0 and I see there are many changes between the rulesets, as 
supposed. When I check the "icmp.rules" and "icmp-info.rules" in 2.9.1, I observe there are lots of rules they contain. 
However, icmp.rules and icmp-info.rules are empty, including no rule, but I see protocol-icmp.rules there which 
contains some rules related to icmp packets. But, some rules have completely been deleted. For example:

icmp.rules (v2.9.1) contains: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; 
reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)

icmp-info.rules (v2.9.1) contains: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; 
itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6;)

I cannot see these rules in protocol-icmp.rules (v2.9.6.0). And there are more rules which are observable in v2.9.1 
unless v2.9.6.0.

In this regard, may I ask why these rules were deleted? Could you please explain depending on which references you 
decide to delete the existing rules?

* You can find the rules I use "icmp.rules (v2.9.1), icmp-info.rules (v2.9.1) and protocol-icmp(2.9.6.0)" on the 
attachment of this mail.

I appreciate for your kind interest. Thank you!

Best regards,
Eray

________________________________
From: jesler () cisco com
To: Eray.Balkanli () Dal Ca
CC: snort-devel () lists sourceforge net; eraybalkanli () hotmail com
Subject: Re: [Snort-devel] Question - snort v2.9.6.0 rules
Date: Tue, 4 Mar 2014 17:47:23 +0000

Within the rules we use a variety of references that you may look at to tell which vulnerabilities the rules cover, and 
from what year.  I encourage you to download the registered ruleset and grep through for “CVE” numbers, etc.

--
Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team

On Mar 4, 2014, at 12:07 PM, Eray Balkanli <Eray.Balkanli () Dal Ca<mailto:Eray.Balkanli () Dal Ca>> wrote:

Hi,

I am a graduate Computer Science student at Dalhousie University. I have been working on some network records by using 
the rules included in Snort v2.9.6.0. I have a question related to those rules; I will be grateful if you reply.

May I ask that for how many recent years the defined rules are based on? I mean, from which year the attack signatures 
of malicious packets have been regarded?

Thank you very much in advance!

Best regars,
Eray
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!