在Snort警报文件中指定规则地址
[英]Specifying the rule address in Snort alert file
问题描述
I am working on a project, which deals with changing the order of the rules, to make the IDS process faster and more efficient. 
我正在研究一个项目,该项目涉及更改规则的顺序,以使IDS流程更快,更高效。 I just have to find where the rule generating any alert in snort alert file, is located. 我只需要找到在snort警报文件中生成任何警报的规则所在的位置。 (I mean the rule is located on which line, in which rule file?) Can anyone help me find out? (我的意思是该规则位于哪一行,哪个规则文件中?)有人可以帮我找出来吗?
2 个解决方案
解决方案1
0 2015-08-13 09:20:03
To locate rules within the configuration file: 要在配置文件中找到规则:
you can use signature ID of snort rules. 您可以使用snort规则的签名ID。
For example, 例如,
[**] [1:5000361:0] need-to-know - suspicious spammed domain [**]
here the signature ID is 5000361 . 此处的签名ID为5000361 。
or, you can search in the configuration file for the referenece shown in the alert 或者,您可以在配置文件中搜索警报中显示的参照
[Xref => url www.spamhaus.org/query/dbl?domain=xxxxxxx.com]
In the above line, the reference is www.spamhaus.org/query/dbl?domain=xxxxxxx.com 在上面的行中,引用是www.spamhaus.org/query/dbl?domain=xxxxxxx.com
Snort configuration file is specified using the -c option followed by the name of the configuration file, usually named as snort.conf . Snort配置文件是使用-c选项指定的,后跟配置文件的名称,通常命名为snort.conf 。 Since it is specified using the option, it could be located anywhere on the system. 由于是使用选项指定的,因此它可以位于系统上的任何位置。 Usually it can be found at /usr/local/etc/snort.conf or in the directory where snort is installed. 通常可以在/usr/local/etc/snort.conf或安装snort的目录中找到它。
解决方案2
0 2015-08-24 00:03:52
This question doesn't really make any sense. 这个问题实际上没有任何意义。 "I am working on a project, which deals with changing the order of the rules, to make the IDS process faster and more efficient." “我正在研究一个项目,该项目涉及更改规则的顺序,以使IDS流程更快,更高效。”
This implies that if you change the order that the snort rules are in in a file then it will change the order in which they are evaluated, and that is completely wrong. 这意味着,如果您更改了snort规则在文件中的顺序,那么它将更改它们的求值顺序,这是完全错误的。 The way snort works in terms of rule evaluation is much more complicated and to be more efficient you must make your rules more efficient. snort在规则评估方面的工作方式要复杂得多,并且要提高效率,您必须使规则更有效。 For snort the most important part of a rule is the fast_pattern keyword. 对于snort,规则中最重要的部分是fast_pattern关键字。 Even if you do not specify a fast_pattern in a rule snort will automatically choose the longest content match in the rule that is at least 3 characters and use this as the fast_pattern. 即使您未在规则中指定fast_pattern,snort也会自动选择规则中最长的内容匹配项(至少3个字符),并将其用作fast_pattern。 For every packet that comes in snort will build a rule evaluation tree for that packet and the order of these rules is completely unrelated to the order that they are stored in the config files. 对于进入snort的每个数据包,将为该数据包建立规则评估树,这些规则的顺序与它们在配置文件中存储的顺序完全无关。 Snort will just read all rules in the configs and the order they are evaluated is determined when it receives the packet at during run time. Snort将只读取配置中的所有规则,并在运行时接收到数据包时确定对它们评估的顺序。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.