Snort mailing list archives

Re: new//Re:help: how to use binder to give different flow with different ips-rules ？

From: sean murphy via Snort-users <snort-users () lists snort org>
Date: Wed, 13 Mar 2019 10:46:18 -0400

Pardon the interruption, but can someone reply with the method for
unsubscribing?

I have tried both of theses options:

*Snort-users mailing list*
*Snort-users () lists snort org* <Snort-users () lists snort org>
*Go to this URL to change user options or unsubscribe:*
*https://lists.snort.org/mailman/listinfo/snort-users*
<https://lists.snort.org/mailman/listinfo/snort-users>

*        To unsubscribe, send an email to:*
*        snort-users-leave () lists snort org
<snort-users-leave () lists snort org>*


I receive a "bounce" message and still getting the messages from the forum.


-Sean




On Wed, Mar 13, 2019 at 9:41 AM Carter Waxman (cwaxman) via Snort-users <
snort-users () lists snort org> wrote:

Also to follow up on your previous question, the example you showed is the
correct usage of binder for policy selection.



*From: *"Carter Waxman (cwaxman)" <cwaxman () cisco com>
*Date: *Wednesday, March 13, 2019 at 9:12 AM
*To: *sofardware <sofardware () 126 com>
*Cc: *"snort-users () lists snort org" <snort-users () lists snort org>
*Subject: *Re: [Snort-users] new//Re:help: how to use binder to give
different flow with different ips-rules ？



What happens if you flip the binding order? Do you have a pcap? The
expected behavior is to loop through all bindings but choose the first of
each matching policy type, so if an ips policy is selected, use =
ips_policy should be ignored later in the binding list. This allows ips,
network and inspection policies to be selected on different criteria.



   - Carter



*From: *Snort-users <snort-users-bounces () lists snort org> on behalf of
sofardware via Snort-users <snort-users () lists snort org>
*Reply-To: *sofardware <sofardware () 126 com>
*Date: *Wednesday, March 13, 2019 at 4:39 AM
*To: *sofardware <sofardware () 126 com>
*Cc: *"snort-users () lists snort org" <snort-users () lists snort org>
*Subject: *[Snort-users] new//Re:help: how to use binder to give
different flow with different ips-rules ？



The snort can not do like  what I want. Who can tell me that, is there
something wrong in the using of binder or snort can only do like this???

I want pakets with  net 15.5.5.0/24 to hit the rule in ips1.lua,
while pakets with  net 15.5.5.0/24 to hit the rule in ips.lua.

I have tried the binder with the fllow files(snort.lua,ips1.lua,ips.lua):

The result is that, the pakets with  net 15.5.5.0/24 and  pakets with net
11.1.3.0/24  are both  hit the ips.lua.

when I take the second binder policy to the first,the pakets with  net
15.5.5.0/24 and  pakets with net 11.1.3.0/24  are both  hit the ips1.lua.

So, the real binding is with the last policy, rather than with the
condition in "when={}"

Why???







--------------------------------------------------------

snort.lua:

dofile(dir .. '/snort_defaults.lua')

stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }
network={decode_drops=true}

binder =
{
    { when = { nets = "15.5.5.0/24" }, use = { ips_policy = "ips1.lua" }
},
    { when = { nets = "11.1.3.0/24" }, use = { ips_policy = "ips.lua" } },

}
----------------------------------------------

ips1.lua

dofile(dir .. '/snort_defaults.lua')

ips =
{
    --rules = "alert udp any any -> any 5060 ( sid:1000001;
sip_method:invite1 )",
    --enable_builtin_rules = true
    rules =
[[
alert udp (
msg:"File_Data_Matched:ips1###############################udp#############################~\n";
sid:11116; )
]]
}

--------------------------------------------

ips.rule

dofile(dir .. '/snort_defaults.lua')

ips =
{
    --rules = "alert udp any any -> any 5060 ( sid:1000001;
sip_method:invite1 )",
    --enable_builtin_rules = true
    rules =
[[
alert udp (
msg:"File_Data_Matched:ips~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~udp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
sid:11116; )
]]
}
~














At 2019-03-13 15:22:40, "sofardware" <sofardware () 126 com> wrote:


      Hi all,

           For example，what I want to ：

           when source net = 1.1.1.1/16 ，use ips rule files：
snort3-browser-ie.rules，snort3-browser-firefox.rules

           when source net = 1.1.1.1/16 ，use ips rule files：
snort3-indicator-shellcode.rules，snort3-malware-backdoor.rules

          How can use the flow binder ：

          string binder[].use.ips_policy: use ips policy from given file
//what should be filled in the given file ? The snort3 manual does not say
what is ips_policy

          ips =
         {

           include = 'snort3-browser-ie.rules'
         } // Is this a ips_policy ??? ,if yes, what is the different to
realize the above thing with binder[].use.ips_policy and binder[].use.file
???



         other help needed:

         how can the follow binders be used? There is no detail help info
or example in  --help or manual

         string binder[].use.inspection_policy: use inspection policy from
given file

         string binder[].use.network_policy: use network policy from given
file

         int binder[].when.ips_policy_id = 0: unique ID for selection of
this config by external logic { 0: }


















_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

help: how to use binder to give different flow with different ips-rules ？ sofardware via Snort-users (Mar 13)
- new//Re:help: how to use binder to give different flow with different ips-rules ？ sofardware via Snort-users (Mar 13)
  - resoved//Re:new//Re:help: how to use binder to give different flow with different ips-rules ？ sofardware via Snort-users (Mar 13)
  - Re: new//Re:help: how to use binder to give different flow with different ips-rules ？ Carter Waxman (cwaxman) via Snort-users (Mar 13)
    - Re: new//Re:help: how to use binder to give different flow with different ips-rules ？ Carter Waxman (cwaxman) via Snort-users (Mar 13)
    - Re: new//Re:help: how to use binder to give different flow with different ips-rules ？ sean murphy via Snort-users (Mar 13)