[Snort-sigs] Need a little help over here...

Mark Taber mark at ...410...
Wed Mar 6 12:00:18 EST 2002


Hi everyone,

I am a little new to creating rules and I was wondering if I could get a
little help.  I have an issue with a snort sensor sending out traffic to
a secured site and receiving a "web-misc 403 forbidden".  I haven't been
able to figure out why that computer is going to the site, so I haven't
been able to stop the traffic.  I was wondering if I could create a
"pass" rule that would allow me to get rid of those alerts.  The
original rule is:

alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-MISC 403
Forbidden";flags: A+; content:"HTTP/1.1 403";
depth:12;classtype:attempted-recon; sid:1201; rev:2;)

(Rule that I am creating)
pass tcp $HTTP_SERVERS 80 -> x.x.x.x any(IP Of Secured Site?)
(msg:"WEB-MISC 403 Forbidden";flags: A+; content:"HTTP/1.1 403";
depth:12; classtype:attempted-recon; sid:1201; rev:2;)

I believe I would need to run snort with the -o switch configured, is
that correct?


Looking it over again, I think I am even more confused?  Which side of
the "->" is my sensor, and which side is information coming from the
website?  Please help, my head hurts...
 

Mark





More information about the Snort-sigs mailing list