[Snort-sigs] Question about writing rules...

Joel Esler jesler at ...435...
Tue Aug 4 09:59:04 EDT 2009


Ip rules don't take ports into account, since ports are at layer 4 and  
ip is handled at layer 3.

--
Sent from my iPhone

On Aug 4, 2009, at 9:11 AM, Dola Flavian <flavian at ...3392...> wrote:

> Hi,
>
> This rule generated a lot of false positive on my network on SMTP  
> service:
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 inc  
> ecx
> NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
> classtype:shellcode-detect; sid:1394; rev:10;)
>
> So I rewrote the rule to:
> alert ip $EXTERNAL_NET any -> $HOME_NET !25 (msg:"SHELLCODE x86 inc  
> ecx
> NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
> classtype:shellcode-detect; sid:1394; rev:10;)
> But snort still sent alert on port 25 when I sent "AAAAA...." on tcp  
> port
> 25....
>
> So I rewrote this rules to:
> alert tcp $EXTERNAL_NET any -> $HOME_NET !25 (msg:"SHELLCODE x86 inc  
> ecx
> NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
> classtype:shellcode-detect; sid:1394; rev:10;)
> Then I sent "AAA..." on tcp port 25, and it worked! Snort did not  
> send any
> alert.
>
> So, is it normal that the "alert ip ... !25" send an alert when I send
> "AAA...." on tcp port 25, and not the rule "alert tcp ....!25".
> Why "alert ip ... !25" don't work?
>
> Regards,
>
> Flavian Dola
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list