[Snort-sigs] Need a little help over here...

Joe McAlerney joey at ...80...
Wed Mar 6 13:12:05 EST 2002


Hi Mark,

The $HTTP_SERVERS variable is intended to represent any web servers you
are running, although from what it sounds like it is set to 'any' or
your $HOME_NET.  These are the default settings.  From what it sounds
like, you really want to do is pass on 403's coming back to your Snort
sensor (although it would we wise to look into why the sensor is
attempting to access that site in the first place).  Keep in mind that
the 403 is being returned TO your IDS in response to a connection
attempt.  Therefore, the arrow needs to point TO your IDS variable in
the rule.

Assuming that only one machine is returning the message:

var SECURE_SITE xxx.xxx.xxx.xxx/32
var MY_IDS yyy.yyy.yyy.yyy/32

pass tcp $SECURE_SITE 80 -> $MY_IDS any (msg:"WEB-MISC 403
Forbidden";flags: A+; content:"HTTP/1.1 403"; depth:12;
classtype:attempted-recon; sid:1201; rev:2;)

And yes, use the -o to allow the pass rule to take precedence over the
alert rule.

Hope this alleviates your headache. :-)

-Joe M.

-- 
Joe McAlerney
Software Developer / Security Consultant
joey at ...80...
Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/

Mark Taber wrote:
> 
> Hi everyone,
> 
> I am a little new to creating rules and I was wondering if I could get a
> little help.  I have an issue with a snort sensor sending out traffic to
> a secured site and receiving a "web-misc 403 forbidden".  I haven't been
> able to figure out why that computer is going to the site, so I haven't
> been able to stop the traffic.  I was wondering if I could create a
> "pass" rule that would allow me to get rid of those alerts.  The
> original rule is:
> 
> alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-MISC 403
> Forbidden";flags: A+; content:"HTTP/1.1 403";
> depth:12;classtype:attempted-recon; sid:1201; rev:2;)
> 
> (Rule that I am creating)
> pass tcp $HTTP_SERVERS 80 -> x.x.x.x any(IP Of Secured Site?)
> (msg:"WEB-MISC 403 Forbidden";flags: A+; content:"HTTP/1.1 403";
> depth:12; classtype:attempted-recon; sid:1201; rev:2;)
> 
> I believe I would need to run snort with the -o switch configured, is
> that correct?
> 
> Looking it over again, I think I am even more confused?  Which side of
> the "->" is my sensor, and which side is information coming from the
> website?  Please help, my head hurts...
> 
> 
> Mark
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list