[Snort-devel] rule port problem

Martin Roesch roesch at ...48...
Mon Dec 18 00:46:09 EST 2000


These rules should work properly in beta 8 now, please try it again with that.

    -Marty

Chris Green wrote:
> 
> Repeating the answer to my question by Marty, bidirectional rules are broken in
> snort-cvs.
> 
> Quick work around here was just replace them w/ 2 rules
> 
> # napster rules written to be unidirectional
> alert tcp any any -> any 6699 (msg:"Napster Client Data"; flags:PA; content:".mp3"; nocase;)
> alert tcp any any -> any 8888 (msg:"Napster 8888 Data"; flags:PA; content:".mp3"; nocase;)
> alert tcp any any -> any 7777 (msg:"Napster 7777 Data"; flags:PA; content:".mp3"; nocase;)
> alert tcp any any -> any 6666 (msg:"Napster 6666 Data"; flags:PA; content:".mp3"; nocase;)
> alert tcp any any -> any 5555 (msg:"Napster 5555 Data"; flags:PA; content:".mp3"; nocase;)
> alert tcp any any -> any 4444 (msg:"Napster 4444 Data"; flags:PA; content:".mp3"; nocase;)
> alert tcp any any -> any 8875 (msg:"Napster Server Login"; flags:PA; content:"anon at ...163...";)
> alert tcp any 6699 -> any any (msg:"Napster Client Data"; flags:PA; content:".mp3"; nocase;)
> alert tcp any 8888 -> any any (msg:"Napster 8888 Data"; flags:PA; content:".mp3"; nocase;)
> alert tcp any 7777 -> any any (msg:"Napster 7777 Data"; flags:PA; content:".mp3"; nocase;)
> alert tcp any 6666 -> any any (msg:"Napster 6666 Data"; flags:PA; content:".mp3"; nocase;)
> alert tcp any 5555 -> any any (msg:"Napster 5555 Data"; flags:PA; content:".mp3"; nocase;)
> alert tcp any 4444 -> any any (msg:"Napster 4444 Data"; flags:PA; content:".mp3"; nocase;)
> alert tcp any 8875 -> any any (msg:"Napster Server Login"; flags:PA; content:"anon at ...163...";)
> 
> You'll need to change ping-lib too if you use that.  Just search for
> <> and replace
> 
> "Hammerle, Tye F." <Tye.F.Hammerle at ...161...> writes:
> 
> > I'm seeing alot of false hits on the Latest Napster rules. snort is hitting
> > on the content only and disregarding the ports in the rule. The first rule
> > hits on the content and none of the others do. I've commented out the first
> > rule and then the second rule in order hits. Note that the hit is on content
> > only, the port doesn't appear to make any difference.
> >
> > Tye
> 
> --
> Chris Green <cmg at ...81...>
> Fame may be fleeting but obscurity is forever.
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel

-- 
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list