Debugging Snort Rules

Problem

A rule isn't doing what it should be. How can you find out why?

Solution

Isolate your rules, and test them one by one in a simple file by using the following syntax:

snort -i eth0 -n 1 -c filename

 

Discussion

This allows you to test each rule for correctness. Each rule should parse properly; Snort will exit after it receives one packet. Unfortunately, this only checks that the rule is correctly formed. It doesn't ensure that your logic is right. If a rule isn't doing what you are expecting it to, take it back to first principals:

  • Are you carrying out the right action (Pass, Log, Alert, Dynamic or Activate)?
  • Are you looking at the right protocol (TCP or UDP)?
  • Are you using only one protocol per rule?
  • Are you looking at the right source and destination addresses?
  • Are you looking at the right source and destination ports?
  • Is your rule running in the right direction (->, <-, or <>)?
  • Are you looking for the right thing?
  • Are you suppressing the rule anywhere?

Sometimes it might be wise to start from a clean sheet. The most persistent errors are the ones that you look over time and time again until you begin again, at which point they become obvious.

See Also

Snort Users Manual

Building a Distributed IDS (Plain Text)

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net