[Snort-sigs] Question about writing rules...

Leon Ward seclists at ...3394...
Tue Aug 4 11:33:26 EDT 2009


Hi.

Take a look at Dumbig. http://leonward.wordpress.com/dumbpig/

[16:30:38]lward at ...3393...~/Documents/Sourcefire/Tools/dumbpig$ ./dumbpig -r
dola.rules

DumbPig version 0.7 - leon.ward at ...435...
Because I hate looking for the same dumb problems with snort rule-sets

          __,,    ( Dumb-pig says     )
        ~(  oo ---( "ur rulz r not so )
          ''''    ( gud akshuly" *    )

Config
----------------------
* Sensivity level - 3/3
* Blacklist outputi : Disabled
* Processing File - dola.rules
* Check commented out rules : Disabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Disabled
* Quite mode : Disabled
----------------------
Issue 1
1 Problem(s) found with rule on line 1 of dola.rules

alert ip $EXTERNAL_NET any -> $HOME_NET !25  ( \
        msg:"SHELLCODE x86 inc ecx NOOP"; \
        content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; \
        classtype:shellcode-detect; \
        sid:1394; \
        rev:10; \
)
- IP rule with port number (or var that could be set to a port number). This
is BAD and invalid syntax.
  It is likely that this rule head is not functioning as you expect it to.
  The IP protocol doesn't have port numbers.
  If you want to inspect both UDP and TCP traffic on specific ports use two
rules, its faster and valid syntax.
alert ip $EXTERNAL_NET any -> $HOME_NET !25 (msg:"SHELLCODE x86 inc ecx
NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
classtype:shellcode-detect; sid:1394; rev:10;)

=============================================================================
--------------------------------------





On Tue, Aug 4, 2009 at 2:11 PM, Dola Flavian <flavian at ...3392...> wrote:

> Hi,
>
> This rule generated a lot of false positive on my network on SMTP service:
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 inc ecx
> NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
> classtype:shellcode-detect; sid:1394; rev:10;)
>
> So I rewrote the rule to:
> alert ip $EXTERNAL_NET any -> $HOME_NET !25 (msg:"SHELLCODE x86 inc ecx
> NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
> classtype:shellcode-detect; sid:1394; rev:10;)
> But snort still sent alert on port 25 when I sent "AAAAA...." on tcp port
> 25....
>
> So I rewrote this rules to:
> alert tcp $EXTERNAL_NET any -> $HOME_NET !25 (msg:"SHELLCODE x86 inc ecx
> NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
> classtype:shellcode-detect; sid:1394; rev:10;)
> Then I sent "AAA..." on tcp port 25, and it worked! Snort did not send any
> alert.
>
> So, is it normal that the "alert ip ... !25" send an alert when I send
> "AAA...." on tcp port 25, and not the rule "alert tcp ....!25".
> Why "alert ip ... !25" don't work?
>
> Regards,
>
> Flavian Dola
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090804/89f385df/attachment.html>


More information about the Snort-sigs mailing list