[Snort-sigs] Pure Not Rule not Supported?

Michael Sconzo msconzo at ...1371...
Mon Mar 8 08:50:03 EST 2004


If you put another content field in the sig it will work.  Something
for it to 'not' against.  IE ( content: !"a", content: "b")

-=Mike

 On Thu, Mar 04, 2004 at 10:01:48AM -0800, Amanda Meyer wrote:
> Hello all,
> 
>  
> 
> I am currently running Snort 2.1.1 on a Win2K box, and trying to tune my
> rules for my Windows network.  As you may already be aware, when you run
> Snort on a Windows network, you tend to get false positives on the following
> rule:
> 
>  
> 
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet";
> dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499;
> rev:3;)
> 
>  
> 
> This is usually caused by the fact that Windows networks like to send out
> Slow Link Detection packets to help determine the speed of the link for
> applying Group Policy security.  (See
> http://www.wfu.edu/~steinsj5/work/icmp.html
> <http://www.wfu.edu/~steinsj5/work/icmp.html>  for more info).  This process
> actually causes two false positives, since two packets are sent: the first
> triggers the ICMP Ping NMAP rule, as it sends a 0 byte ping packet.  The
> second triggers the rule above; the ICMP payload actually contains a .gif
> image that has a distinct content of "WANG2.....JFIF".  I would like to
> tweak the ICMP Large ICMP Packet rule to ignore any packets that have this
> in the payload, but I'm running into a problem.  I am using the following
> rule:
> 
>  
> 
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP, NOT M$
> Slow Link Det"; content: ! "WANG2"; dsize: >800; reference:arachnids,246;
> classtype:bad-unknown; sid:499; rev:3;)
> 
>  
> 
> What I hope to accomplish is to have the rule only alert if the large ICMP
> packet does NOT contain "WANG2,"  however, when I run snort (snort -A fast
> -bpc e:\snort\etc\snort.conf -l e:\snort\log) with this rule enabled I get
> the following error:
> 
>  
> 
> SNORT DETECTION ENGINE: Pure Not Rule 'ICMP Large ICMP, NOT M$ Slow Link
> Det' not added to detection engine.  These rules are not supported at this
> time.
> 
>  
> 
> However, when I look in the User Manual, I see the following for the syntax
> of content:
> 
>  
> 
> If the rule is preceded by a !, the alert will be triggered on packets that
> do not contain this content. This is useful when
> 
> writing rules that want to alert on packets that do not match a certain
> pattern
> 
>  
> 
> Format
> 
> content: [!] "<content string>";
> 
>  
> 
> I've tried every variation I can think of, with no success.  I'm relatively
> new to Snort, so any insight and/or resources you can point me to would be
> greatly appreciated!
> 
>  
> 
> Thank you,
> 
> am
> 
>  
> 
>  
> 

-- 
The New Testament offers the basis for modern computer coding theory,
in the form of an affirmation of the binary number system.
        But let your communication be Yea, yea; nay, nay: for
        whatsoever is more than these cometh of evil.
                -- Matthew 5:37




More information about the Snort-sigs mailing list