[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: [Snort-users] Unsubscribe ...
From: Lyndon Tiu <ltiu () alumni ! sfu ! ca>
Date: 2004-11-26 15:17:03
Message-ID: 200411260717.03763.ltiu () alumni ! sfu ! ca
[Download RAW message or body]
Hello,
I apologize for sending an email to the group asking how to unsubscribe. The
attached email did not contain any information at the bottom on how to
subscribe AND I happen to have picked this one to look at ...
--
Lyndon Tiu
["forwarded message" (message/rfc822)]
This is a multi-part message in MIME format.
There is a sensor between an edge router the premisis distribution router. Traffic \
from say 3DMZ's plus the intranet is captured by a snort ids.
We would like to separate the alerts based on DMZ Network address of the alert. I had \
thought I could collect all the alerts in one database and create an acid.php script \
for each DMZ and create an acid database for DMZ. While I would love the challenge, \
the mind is strong but the programming skills are weak. An senior administrator \
suggested that I define a ruletype for each DMZ.
Questions:
1. Assuming I have 2000 rules, if I were to implement the following for 3 DMZs
I would have a total of 8000 rules. Would this many rules affect a snort ids sensor's \
performance? I realize that the answer to my question depends on how the rule lists \
are implemented. If the rules were in a linearly linked list I know the performance \
would be affected. In a Btree, where the more specific rule lists are tried first \
then the time to access any rule should be constant and the performance should not be \
affected?
2. Is the syntax correct in my Example snort.conf and snort rules correct?
3. Is there a better way to create rules that send alerts to a particular database
based on the DMZ network address?
#Example excerpt of snort.conf
ruletype DMZ1_alert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=snort dbname=dmz1 host=localhost
}
ruletype DMZ2_alert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=snort dbname=dmz3 host=localhost
}
ruletype DMZ3_alert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=snort dbname=dmz3 host=localhost
}
var DMZ1_NET [192.168.1.0/24,10.1.1.0/24]
var DMZ1_NET [192.168.2.0/24,10.1.2.0/24]
var DMZ1_NET [192.168.3.0/24,10.1.3.0/24]
var RULE_PATH /snort/rules
var DMZ1 DMZ1_NET
var DMZ2 DMZ2_NET
var DMZ3 DMZ3_NET
include $RULE_PATH/exploit.rules
include $RULE_PATH/$DMZ1/exploit.rules
include $RULE_PATH/$DMZ2/exploit.rules
include $RULE_PATH/$DMZ3/exploit.rules
----------------------------
Example of a few Snort Rules.
/snort/rules/exploit.rules
alert tcp any any -> any any (msg:"Possible exploit"; content:"|90|"; \
offset:40; depth:75;)
/snort/rules/DMZ1_NET/exploit.rules
DMZ1_alert tcp any any -> $DMZ1_NET any (msg:"Possible exploit"; content:"|90|"; \
offset:40; depth:75;)
/snort/rules/DMZ2_NET/exploit.rules
DMZ2_alert tcp any any -> $DMZ2_NET any (msg:"Possible exploit"; content:"|90|"; \
offset:40; depth:75;)
/snort/rules/DMZ3_NET/exploit.rules
DMZ3_alert tcp any any -> $DMZ3_NET any (msg:"Possible exploit"; content:"|90|"; \
offset:40; depth:75;)
[Attachment #6 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.6487.1">
<TITLE>creating custom rule actions for each DMZ</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=2 FACE="Arial">There is a sensor between an edge router the \
premisis distribution router. Traffic from say 3DMZ's plus the intranet is captured \
by</FONT></P>
<P><FONT SIZE=2 FACE="Arial">a snort ids.</FONT>
<BR><FONT SIZE=2 FACE="Arial">We would like to separate the alerts based on DMZ \
Network address of the alert. I had thought I could collect all the</FONT>
<BR><FONT SIZE=2 FACE="Arial">alerts in one database and create an acid.php script \
for each DMZ and create an acid database</FONT>
<BR><FONT SIZE=2 FACE="Arial">for DMZ. While I would love the challenge, the mind is \
strong but the programming skills are weak.</FONT>
<BR><FONT SIZE=2 FACE="Arial"> An senior administrator suggested that I define \
a ruletype for each DMZ.</FONT>
<BR><FONT SIZE=2 FACE="Arial">Questions: </FONT>
<BR><FONT SIZE=2 FACE="Arial">1. Assuming I have 2000 rules, if I were to implement \
the following for 3 DMZs</FONT>
<BR><FONT SIZE=2 FACE="Arial">I would have a total of 8000 rules. Would this many \
rules affect a snort ids sensor's performance?</FONT>
<BR><FONT SIZE=2 FACE="Arial">I realize that the answer to my question depends on how \
the rule lists are implemented.</FONT>
<BR><FONT SIZE=2 FACE="Arial">If the rules were in a linearly linked list I know the \
performance would be affected.</FONT>
<BR><FONT SIZE=2 FACE="Arial">In a Btree, where the more specific rule lists are \
tried first then the time</FONT>
<BR><FONT SIZE=2 FACE="Arial">to access any rule should be constant and the \
performance should not be affected?</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">2. Is the syntax correct in my Example snort.conf and \
snort rules correct?</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">3. Is there a better way to create rules that send \
alerts to a particular database</FONT>
<BR><FONT SIZE=2 FACE="Arial">based on the DMZ network address?</FONT>
</P>
<BR>
<P><FONT SIZE=2 FACE="Arial">#Example excerpt of snort.conf</FONT>
<BR><FONT SIZE=2 FACE="Arial">ruletype DMZ1_alert</FONT>
<BR><FONT SIZE=2 FACE="Arial">{</FONT>
<BR><FONT SIZE=2 FACE="Arial"> type alert</FONT>
<BR><FONT SIZE=2 FACE="Arial"> output alert_syslog: LOG_AUTH \
LOG_ALERT</FONT>
<BR><FONT SIZE=2 FACE="Arial"> output database: log, mysql, \
user=snort dbname=dmz1 host=localhost</FONT>
<BR><FONT SIZE=2 FACE="Arial">}</FONT>
<BR><FONT SIZE=2 FACE="Arial">ruletype DMZ2_alert</FONT>
<BR><FONT SIZE=2 FACE="Arial">{</FONT>
<BR><FONT SIZE=2 FACE="Arial"> type alert</FONT>
<BR><FONT SIZE=2 FACE="Arial"> output alert_syslog: LOG_AUTH \
LOG_ALERT</FONT>
<BR><FONT SIZE=2 FACE="Arial"> output database: log, mysql, \
user=snort dbname=dmz3 host=localhost</FONT>
<BR><FONT SIZE=2 FACE="Arial">}</FONT>
<BR><FONT SIZE=2 FACE="Arial">ruletype DMZ3_alert</FONT>
<BR><FONT SIZE=2 FACE="Arial">{</FONT>
<BR><FONT SIZE=2 FACE="Arial"> type alert</FONT>
<BR><FONT SIZE=2 FACE="Arial"> output alert_syslog: LOG_AUTH \
LOG_ALERT</FONT>
<BR><FONT SIZE=2 FACE="Arial"> output database: log, mysql, \
user=snort dbname=dmz3 host=localhost</FONT>
<BR><FONT SIZE=2 FACE="Arial">}</FONT>
</P>
<BR>
<P><FONT SIZE=2 FACE="Arial">var DMZ1_NET [192.168.1.0/24,10.1.1.0/24]</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">var DMZ1_NET [192.168.2.0/24,10.1.2.0/24]</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">var DMZ1_NET [192.168.3.0/24,10.1.3.0/24]</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">var RULE_PATH /snort/rules</FONT>
<BR><FONT SIZE=2 FACE="Arial">var DMZ1 DMZ1_NET</FONT>
<BR><FONT SIZE=2 FACE="Arial">var DMZ2 DMZ2_NET</FONT>
<BR><FONT SIZE=2 FACE="Arial">var DMZ3 DMZ3_NET</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">include $RULE_PATH/exploit.rules</FONT>
<BR><FONT SIZE=2 FACE="Arial">include $RULE_PATH/$DMZ1/exploit.rules</FONT>
<BR><FONT SIZE=2 FACE="Arial">include $RULE_PATH/$DMZ2/exploit.rules</FONT>
<BR><FONT SIZE=2 FACE="Arial">include $RULE_PATH/$DMZ3/exploit.rules</FONT>
<BR><FONT SIZE=2 FACE="Arial">----------------------------</FONT>
<BR><FONT SIZE=2 FACE="Arial">Example of a few Snort Rules.</FONT>
<BR><FONT SIZE=2 FACE="Arial">/snort/rules/exploit.rules</FONT>
<BR><FONT SIZE=2 FACE="Arial">alert tcp any any -> any any \
(msg:"Possible exploit"; content:"|90|"; \</FONT>
<BR><FONT SIZE=2 FACE="Arial">offset:40; depth:75;)</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">/snort/rules/DMZ1_NET/exploit.rules</FONT>
<BR><FONT SIZE=2 FACE="Arial">DMZ1_alert tcp any any -> $DMZ1_NET any \
(msg:"Possible exploit"; content:"|90|"; \</FONT>
<BR><FONT SIZE=2 FACE="Arial">offset:40; depth:75;)</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">/snort/rules/DMZ2_NET/exploit.rules</FONT>
<BR><FONT SIZE=2 FACE="Arial">DMZ2_alert tcp any any -> $DMZ2_NET any \
(msg:"Possible exploit"; content:"|90|"; \</FONT>
<BR><FONT SIZE=2 FACE="Arial">offset:40; depth:75;)</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">/snort/rules/DMZ3_NET/exploit.rules</FONT>
<BR><FONT SIZE=2 FACE="Arial">DMZ3_alert tcp any any -> $DMZ3_NET any \
(msg:"Possible exploit"; content:"|90|"; \</FONT>
<BR><FONT SIZE=2 FACE="Arial">offset:40; depth:75;)</FONT>
</P>
</BODY>
</HTML>
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic