[Snort-sigs] problem writing rules for checking traffic and content

studentmm08.pool-id at ...1755... studentmm08.pool-id at ...1755...
Mon Aug 18 06:10:02 EDT 2003


i have a little problem with the rule detection in snort. 
i know that snort uses a fast exit strategy. once matched, the packet
isn't checked against another rule by snort.

my scenario is a very big company net with lots of subnets.
(45 server, 200 clients, lots of develompent nets)

my task is to check source and destination of all traffic,
and on the other site the content of all traffic.

example:

clients 192.168.10.2-24, 192.168.10.40-67  are allowed to make netbios 139 to 
server 192.168.10.200.

snort should alert me if 192.168.10.30 tries to connect the server on port 139
snort should alert me if a client from the list above makes a connect to the 
server on port 139 and the content could be a attack.

if the source ip of client is correct and the content doesnt match the snort 
netbios rules the ip packet 
should pass.

so on the one site i must check tor attack patterns and on the other site if 
the firewall works correctly.

i'm a little bit confused, because i have no idea how to write such rules and 
configure snort.
the main question is, can you handle this with snort ?


thx for response
andreas




More information about the Snort-sigs mailing list