SNORT Rules not working



  • I have been playing around with RC3. I got the oinkid from snort.org and downloaded the latest rules.
    I checked the "p2p.rules" option and kick off Azureus, but I do not see anything logged in the "Snort Alerts" section.
    I even checked all the rules and nothing comes up. I figured that at least something would appear, but nothing happened. Am I doing something wrong?



  • Click on the rulename in the rules list and it will open the rule in the edit window. The p2p rules don't cover bittorrent. It tries to detect gnutella, edonkey, skype, … . I don't think that any of the rules detect bittorrent atm. Google for signatures that cover bittorrent too and add them to your p2p detection rules.



  • Bleeding Snort has signatures for detecting bittorrent in their p2p ruleset:

    By Chich Thierry

    alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE P2P BitTorrent peer sync"; flow: established; content:"|0000000d0600|"; offset: 0; depth: 6; reference:url,bitconjurer.org/BitTorrent/protocol.html; classtype: policy-violation; sid: 2000334; rev:7; )
    alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE P2P BitTorrent Traffic"; flow: established; content:"|0000400907000000|"; offset: 0; depth: 8; reference:url,bitconjurer.org/BitTorrent/protocol.html; classtype: policy-violation; sid: 2000357; rev:3; )
    alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg: "BLEEDING-EDGE P2P BitTorrent Announce"; flow: to_server,established; content:"/announce"; reference:url,bitconjurer.org/BitTorrent/protocol.html; classtype: policy-violation; sid: 2000369; rev:4; )



  • I believe the bleeding items requires a custom program that only comes with the rules from snort.org.  Not sure if we can compile that and redistribute.

    I'll look into it.



  • Does clicking on the snort rule to edit work in Firefox?  All I can do is sort the column.

    thanks,
    Jim



  • jzsjr,
    Yes, Firefox 1.5.0.7 works for me.

    But, I have noticed that something in snort 2.6.0.4 php has changed to the worse compared to 2.6.0.3. I realize that another column has been added - Snort Blocked_Alert Description, but now an refresh of the page takes about 30 seconds (8 blocked ip's) instead of perhaps 2-3 seconds before. RC3e P3-450 256MB

    In my other FW (RC3e  P3-350 256MB) where I normally have about 7-800 blocked ip, this page is unusable. Worst of all is that if you get impatient and refresh the page before its done another instance of php is started and they take 99% cpu indefinitely as it seems.

    I get the feeling that all of the GUI for snort has slowed down. So, jzsjr, perhaps you've double-clicked a little bit to much?



  • @jzsjr:

    Does clicking on the snort rule to edit work in Firefox?  All I can do is sort the column.

    thanks,
    Jim

    There was a bug when this didn'T worked. You have to be at the latest version of RC3 and have the latest version of the package installed.



  • @sullrich:

    I believe the bleeding items requires a custom program that only comes with the rules from snort.org.  Not sure if we can compile that and redistribute.

    I'll look into it.

    Any word on this yet?  Just curious as I think it'd be useful to have the option to use either "regular" or "bleeding" rules  :)

    Thanks



  • No, sorry, nothing as of yet.


Log in to reply