[Snort-sigs] Question about writing rules...

Bill Scherr IV bschnzl at ...3374...
Tue Aug 4 09:46:48 EDT 2009


Hi There

Snort doesn't check port numbers without a tranport protocol.  If the rule starts with "alert ip" it doesn't have a valid transport 
protocol, even tho the fields are in the same place.  If you want to check both tcp and udp, you have to use two rules.
(Reference: pg 1106, SourceFire 3D User Reference Guide)

B.

Circa 15:11, 4 Aug 2009, a note, claiming source Dola Flavian <flavian at ...3392...>, was sent to me:

Date sent:      	Tue, 04 Aug 2009 15:11:02 +0200
From:           	Dola Flavian <flavian at ...3392...>
To:             	<snort-sigs at lists.sourceforge.net>
Subject:        	[Snort-sigs] Question about writing rules...

> Hi,
> 
> This rule generated a lot of false positive on my network on SMTP service:
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 inc ecx
> NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
> classtype:shellcode-detect; sid:1394; rev:10;)
> 
> So I rewrote the rule to:
> alert ip $EXTERNAL_NET any -> $HOME_NET !25 (msg:"SHELLCODE x86 inc ecx
> NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
> classtype:shellcode-detect; sid:1394; rev:10;)
> But snort still sent alert on port 25 when I sent "AAAAA...." on tcp port
> 25....
> 
> So I rewrote this rules to:
> alert tcp $EXTERNAL_NET any -> $HOME_NET !25 (msg:"SHELLCODE x86 inc ecx
> NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
> classtype:shellcode-detect; sid:1394; rev:10;)
> Then I sent "AAA..." on tcp port 25, and it worked! Snort did not send any
> alert.
> 
> So, is it normal that the "alert ip ... !25" send an alert when I send
> "AAA...." on tcp port 25, and not the rule "alert tcp ....!25".
> Why "alert ip ... !25" don't work?
> 
> Regards,
> 
> Flavian Dola
> 



Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr at ...3384...
bscherr at ...3385...
703-478-7608





More information about the Snort-sigs mailing list