[Snort-sigs] Question about writing rules...

Dola Flavian flavian at ...3392...
Tue Aug 4 09:11:02 EDT 2009


Hi,

This rule generated a lot of false positive on my network on SMTP service:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 inc ecx
NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
classtype:shellcode-detect; sid:1394; rev:10;)

So I rewrote the rule to:
alert ip $EXTERNAL_NET any -> $HOME_NET !25 (msg:"SHELLCODE x86 inc ecx
NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
classtype:shellcode-detect; sid:1394; rev:10;)
But snort still sent alert on port 25 when I sent "AAAAA...." on tcp port
25....

So I rewrote this rules to:
alert tcp $EXTERNAL_NET any -> $HOME_NET !25 (msg:"SHELLCODE x86 inc ecx
NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
classtype:shellcode-detect; sid:1394; rev:10;)
Then I sent "AAA..." on tcp port 25, and it worked! Snort did not send any
alert.

So, is it normal that the "alert ip ... !25" send an alert when I send
"AAA...." on tcp port 25, and not the rule "alert tcp ....!25".
Why "alert ip ... !25" don't work?

Regards,

Flavian Dola




More information about the Snort-sigs mailing list