Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Unsubscribe ...

from [Lyndon Tiu] Network Security [Permanent Link]
Subject: [Snort-users] Unsubscribe ...
Date: Fri, 26 Nov 2004 07:17:03 -0800 
Hello,

I apologize for sending an email to the group asking how to unsubscribe. The 
attached email did not contain any information at the bottom on how to 
subscribe AND I happen to have picked this one to look at ... 

--
Lyndon Tiu
--- Begin Message ---
Subject: [Snort-users] creating custom rule actions for each DMZ
Date: Wed, 24 Nov 2004 17:31:48 -0500 
There is a sensor  between an edge router the premisis distribution router. 
Traffic from say 3DMZ's plus the intranet is captured by
a snort ids.
We would like to separate the alerts based on DMZ Network address of the alert. 
I had thought I could collect all the
alerts in one database and create an acid.php script for each DMZ and create an 
acid database
for DMZ. While I would love the challenge, the mind is strong but the 
programming skills are weak.
 An senior administrator suggested that I define a  ruletype for each DMZ.
Questions: 
1. Assuming I have 2000 rules, if I were to implement the following for 3 DMZs
I would have a total of 8000 rules. Would this many rules affect a snort ids 
sensor's performance?
I realize that the answer to my question depends on how the rule lists are 
implemented.
If the rules were in a linearly linked list I know the performance would be 
affected.
In a Btree, where the more specific rule lists are tried first then the time
to access any rule should be constant and the performance should not be 
affected?

2. Is the syntax correct in my Example snort.conf and snort rules correct?

3. Is there a better way to create rules that send alerts to a particular 
database
based on the DMZ network address?


#Example excerpt of snort.conf
ruletype DMZ1_alert
{
    type alert
    output alert_syslog: LOG_AUTH LOG_ALERT
    output database: log, mysql, user=snort dbname=dmz1 host=localhost
}
ruletype DMZ2_alert
{
    type alert
    output alert_syslog: LOG_AUTH LOG_ALERT
    output database: log, mysql, user=snort dbname=dmz3 host=localhost
}
ruletype DMZ3_alert
{
    type alert
    output alert_syslog: LOG_AUTH LOG_ALERT
    output database: log, mysql, user=snort dbname=dmz3 host=localhost
}


var DMZ1_NET [192.168.1.0/24,10.1.1.0/24]

var DMZ1_NET [192.168.2.0/24,10.1.2.0/24]

var DMZ1_NET [192.168.3.0/24,10.1.3.0/24]

var RULE_PATH /snort/rules
var DMZ1 DMZ1_NET
var DMZ2 DMZ2_NET
var DMZ3 DMZ3_NET

include $RULE_PATH/exploit.rules
include $RULE_PATH/$DMZ1/exploit.rules
include $RULE_PATH/$DMZ2/exploit.rules
include $RULE_PATH/$DMZ3/exploit.rules
----------------------------
Example of a few Snort Rules.
/snort/rules/exploit.rules
alert tcp any any -> any any (msg:"Possible  exploit"; content:"|90|";  \
offset:40; depth:75;)

/snort/rules/DMZ1_NET/exploit.rules
DMZ1_alert tcp any any -> $DMZ1_NET any (msg:"Possible  exploit"; 
content:"|90|";  \
offset:40; depth:75;)

/snort/rules/DMZ2_NET/exploit.rules
DMZ2_alert tcp any any -> $DMZ2_NET any (msg:"Possible  exploit"; 
content:"|90|";  \
offset:40; depth:75;)

/snort/rules/DMZ3_NET/exploit.rules
DMZ3_alert tcp any any -> $DMZ3_NET any (msg:"Possible  exploit"; 
content:"|90|";  \
offset:40; depth:75;)

--- End Message ---
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Snort-users] Unsubscribe ?, Schott, Erik J Mr ANOSC/FCBS
Next by Date:  RE: [Snort-users] Unsubscribe ?, Schott, Erik J Mr ANOSC/FCBS
Previous by Thread:  [Snort-users] Base vs. Acid, Kenneth Jacker
Next by Thread:  [Snort-users] Unsubscribe ..., Lyndon Tiu
Indexes:  [Date] [Thread] [Top] [All Lists]