[Snort-sigs] Alert rules

Lorine Ruotolo lori.ruotolo at ...12...
Tue Mar 14 08:42:07 EST 2006


By CREATE a connection, are you referring to a SYN packet? (The first packet 
in a TCP handshake)

I think you may wish to look up the "flags" option in rule writing.    
flags: S;




>From: Jason <security at ...704...>
>To: FRANK SORNATALE <sornatale at ...12...>
>CC: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] Alert rules
>Date: Mon, 13 Mar 2006 12:24:16 -0500
>
>Hi Frank,
>
>As always the devil is in the details. I've put some questions inline to
>hopefully help you along the way.
>
>FRANK SORNATALE wrote:
> > I worked on these rules and I was wondering if you could let me know
> > what I could be missing.
> >
> > 3. Create an alert for any outgoing packets that list the CUPS protocol.
> >
> > Alert tcp any any -> any 514 (msg:”someone is printing”; classtype:
> > bad_unknown; sid: 20099997; rev:1;)
>
>This detects traffic ( tcp ) to port 514. Not sure syslog has anything
>to do with CUPS. Does CUPS use tcp? Does it use 514? Is CUPS even it's
>own thing? Do you need to identify the protocol as the task suggests?
>
> >
> > 4. Create an alert for any packet that attempts to CREATE an ssh
> > connection.
> >
> > Alert tcp any any -> any 22 (msg:”someone using ssh”;
> > classtype:bad_unkown; sid: 20099996; rev:1;)
>
>This will detect connects to port 22 but that does not mean there is an
>attempt to create an SSH session. How specific should these rules be to
>the stated task?
>
> >
> > 5. Create an alert for any packet whose contents contain the word "bard"
> > (not case sensitive).
> >
> > Alert tcp any any -> $HOME_NET any (msg:”Someone used the word bard in
> > an email or other communications”; content: “bard”; nocase;
> > flow:from_server,established; classtype:bad_unknown; sid:20099995; 
>rev:1;)
>
>This will attack bard in tcp traffic headed to any system in HOME_NET.
>Is that any packet? can bard exist in UDP? can bard exist without
>creating a three way handshake?
>
> >
> > 6. Create an alert for any incoming packets on port 53 whose contents
> > contains 'ucf.edu'.
> >
> > alert tcp any 53 -> $HOME_NET (msg:”Someone using ucf.edu”;
> > content:”ucf.edu” flow:from_server,established; sid:20099995; rev:1;
>
>This rule would catch packets _sourced_ from port 53. Shouldn't that be
>destination port 53? Can ucf.edu exist in non tcp traffic?
>
>You are making progress. keep it up.
>
>
> >
> >
> >> From: Hugo van der Kooij <hvdkooij at ...481...>
> >> Reply-To: snort-sigs mailinglist <snort-sigs at lists.sourceforge.net>
> >> To: snort-sigs mailinglist <snort-sigs at lists.sourceforge.net>
> >> Subject: Re: [Snort-sigs] Alert rules
> >> Date: Sun, 12 Mar 2006 21:24:47 +0100 (CET)
> >>
> >> On Fri, 10 Mar 2006, Brian Caswell wrote:
> >>
> >> > Please do not write these rules for Frank.  Frank is trying to get
> >> > you to do his homework for him.  When he asked me for help earlier, I
> >> > pointed him at the manual.  He needs to learn, not cheat.
> >>
> >> Somehow the neat list of 10 did trigger some bells. Then there were 
>some
> >> rules that did not make any sense for a real life network to finish it
> >> off.
> >>
> >> Hugo.
> >>
> >> --
> >>     I hate duplicates. Just reply to the relevant mailinglist.
> >>     hvdkooij at ...481...        http://hvdkooij.xs4all.nl/
> >>         Don't meddle in the affairs of magicians,
> >>         for they are subtle and quick to anger.
> >>
> >>
> >> -------------------------------------------------------
> >> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> >> language
> >> that extends applications into web and mobile media. Attend the live
> >> webcast
> >> and join the prime developer group breaking into this new coding
> >> territory!
> >> 
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> >> _______________________________________________
> >> Snort-sigs mailing list
> >> Snort-sigs at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
> > _________________________________________________________________
> > Don’t just search. Find. Check out the new MSN Search!
> > http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by xPML, a groundbreaking scripting 
>language
> > that extends applications into web and mobile media. Attend the live
> > webcast
> > and join the prime developer group breaking into this new coding 
>territory!
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live 
>webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/





More information about the Snort-sigs mailing list