[Snort-devel] rule port problem

Chris Green cmg at ...81...
Tue Dec 12 15:00:48 EST 2000


Repeating the answer to my question by Marty, bidirectional rules are broken in
snort-cvs.

Quick work around here was just replace them w/ 2 rules

# napster rules written to be unidirectional
alert tcp any any -> any 6699 (msg:"Napster Client Data"; flags:PA; content:".mp3"; nocase;) 
alert tcp any any -> any 8888 (msg:"Napster 8888 Data"; flags:PA; content:".mp3"; nocase;) 
alert tcp any any -> any 7777 (msg:"Napster 7777 Data"; flags:PA; content:".mp3"; nocase;) 
alert tcp any any -> any 6666 (msg:"Napster 6666 Data"; flags:PA; content:".mp3"; nocase;) 
alert tcp any any -> any 5555 (msg:"Napster 5555 Data"; flags:PA; content:".mp3"; nocase;) 
alert tcp any any -> any 4444 (msg:"Napster 4444 Data"; flags:PA; content:".mp3"; nocase;) 
alert tcp any any -> any 8875 (msg:"Napster Server Login"; flags:PA; content:"anon at ...163...";)
alert tcp any 6699 -> any any (msg:"Napster Client Data"; flags:PA; content:".mp3"; nocase;) 
alert tcp any 8888 -> any any (msg:"Napster 8888 Data"; flags:PA; content:".mp3"; nocase;) 
alert tcp any 7777 -> any any (msg:"Napster 7777 Data"; flags:PA; content:".mp3"; nocase;) 
alert tcp any 6666 -> any any (msg:"Napster 6666 Data"; flags:PA; content:".mp3"; nocase;) 
alert tcp any 5555 -> any any (msg:"Napster 5555 Data"; flags:PA; content:".mp3"; nocase;) 
alert tcp any 4444 -> any any (msg:"Napster 4444 Data"; flags:PA; content:".mp3"; nocase;) 
alert tcp any 8875 -> any any (msg:"Napster Server Login"; flags:PA; content:"anon at ...163...";)

You'll need to change ping-lib too if you use that.  Just search for
<> and replace


"Hammerle, Tye F." <Tye.F.Hammerle at ...161...> writes:

> I'm seeing alot of false hits on the Latest Napster rules. snort is hitting
> on the content only and disregarding the ports in the rule. The first rule
> hits on the content and none of the others do. I've commented out the first
> rule and then the second rule in order hits. Note that the hit is on content
> only, the port doesn't appear to make any difference.
> 
> Tye

-- 
Chris Green <cmg at ...81...>
Fame may be fleeting but obscurity is forever.



More information about the Snort-devel mailing list