[Snort-sigs] Newbie Rule Question

John Sage jsage at ...425...
Thu Aug 22 16:02:03 EDT 2002


Brett:

On Thu, Aug 22, 2002 at 05:38:02PM -0400, Brett.Gillett at ...772... wrote:
> Hey everyone,
> 
> I am trying to write a snort rule that will capture invalid packets from a
> specific source, I have come up with something, but it doesn't seem to be
> working.  If I run tcpdump I can see the source and the bad packet but
> snort does not alert on it... Here's the rule
> 
> alert tcp a.b.c.0/24 any -> $INTERNAL any {flags: 1+; msg: "XXX Unusal
> Packet";)

First off, here you're starting with a curly-brace { , and ending with
a parens ) ..

..is that *really* how the rule's written? I don't think that works..


As I read it, this rule will match:

1) tcp packets;

2) from any hosts in the range (for example):

HostMin:   192.168.0.1   
HostMax:   192.168.0.254 

Network:   192.168.0.0/24
Broadcast: 192.168.0.255 
Hosts/Net: 254           

3) from any source port;

4) to whatever $INTERNAL is set to ($HOME_NET? what?);

5) to any destination port;

6) with the "1  Reserved bit 1 (MSB in TCP Flags byte)" flag set

	AND

   with "+  ALL flag, match on all specified flags plus any others" set..


Is this what you're trying to do?

Questions:

What's $INTERNAL set to? Is it set correctly?

Are you really trying to test for that TCP reserved flag -- usually
that's ECN, AFAIK, bit 9, below:


  0   1   2   3   4   5   6   7   8   9  10  11  12  13  14  15
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|               |               | C | E | U | A | P | R | S | F |
| Header Length |    Reserved   | W | C | R | C | S | S | Y | I |
|               |               | R | E | G | K | H | T | N | N |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
 Figure 4: The new definition of bytes 13 and 14 of the TCP Header.

See: ftp://ftp.isi.edu/in-notes/rfc3168.txt


This is not very common, I might think it's possible that your rule's
working, but you just aren't seeing any...



- John
-- 
"You are in a little maze of twisty passages, all different."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the Snort-sigs mailing list