Charlotte,
You have some really good questions here.
1. How the order of rules is maintained.
2. AND/OR statements within rules
3. How to ignore false positives.
4. You want to have multiple rules trigger on the same traffic.
Okay.
1. I am going to refer you, and, everyone else that is interested in how our
current Rule Optimizer and Multi-Rule Inspection Engine and it¹s various
algorithms, to the whitepapers we have published on snort.org..
http://www.snort.org/docs/#devel They are written by Marc Norton and Dan
Roelker. Two guys that are on our engineering team, and work really hard on
the ³Packet Matching engine². So check out those papers at the link, and
that should help you a lot.
2. Read those whitepapers first and that should explain a few things, if
you still have questions, write the list back :)
3. How to ignore false positives. Okay, so you want to look for ³rm%20²
but not ³Form%20². Makes sense, however, before we proceed down the road
of editing rules and such, lets get a couple things out of the way. A) What
version of Snort are you running? And B) Are you running the latest rule
pack available by registration at www.snort.org/rules?
4. Refer to the above two questions first.
Please respond to the list so that everyone is available to help!
Joel Esler
SOURCEfire
On 3/17/06 5:23 PM, "SAWYER Charlotte M" <Charlotte.M.Sawyer@state.or.us>
said unto me:
I've searched the internet and email list archives and found some near
answers, but nothing that definitively answered my question.
I've read some of the stuff on RTN/OTN parsing and it didn't help me much.
Sorry.
I understand that the .conf file and rules files are read into a decision
tree-linked list memory environment for snort to work with. What I'm not so
clear on is if the order of the rules is maintained when it's loaded in.
One reference (don't remember now where I saw it) said that the rules files
can be considered as AND statements and the rules with in a particular file
can be considered OR statements.
I've been experimenting with adding rules to ignore some traffic that is
generating false positives. In one situation I want to ignore traffic that
ALMOST matches the web-attacks rm command alert. I'm seeing a fair amount of
alerts where the rm%20 is actually a part of Form%20 or some other string.
I'd like to not have to review those alerts but I don't want to select based
on IP, I want to check for the content and not alert if it has Form%20 in it.
Because I'm new to editing rules, I wanted to have the regular rule trigger as
well as my changed one. Guest that's not an option.
Anyway, the results were not what I expected.......I didn't see any alerts
with Form%20 in them, but neither did I see the ones that would match on
Confirm%20.
I'm sooo confused. :-) Thanks in advance for any help/suggestions/etc.
