[Snort-sigs] Alerting for traffic in internal network

Tyler MacPherson tah338 at ...3678...
Wed Dec 19 11:02:48 EST 2012


Currently, I'm trying to write some Snort rules for my company. I feel 
that these rules should be fairly simple, but I'm running into some 
issues with getting them to work properly, and I was wondering if I 
could get some assistance, as I am new to Snort and IDS's in general. 
Basically, we have a firewall, which to get to, you would need to go 
through 2 other systems first. Behind that firewall we have an internal 
network. What I need to do are write rules that 1) Alert any time a 
system on that inner network makes an outbound connection, 2) Alert any 
time there is traffic destined for the network behind the firewall, that 
is not SQL Server traffic, and 3) Alert when there is traffic between 
systems on the inner network that is not SQL (ssh, rdesktop, etc).

Here are the rules I currently have in place:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outbound connection 
from inner network"; sid: 1000009; priority:1;threshold:type threshold, 
track by_dst, count 7, seconds 60;)

alert tcp $EXTERNAL_NET !1433 -> $HOME_NET !1433 (msg:"Incoming traffic 
that is not SQL Server"; sid: 1000010; priority:1;threshold:type 
threshold, track by_src, count 7, seconds 60;)

alert tcp $HOME_NET !1433 <> $HOME_NET !1433 (msg:"Incoming traffic 
between machines on internal network that is not SQL Server";sid: 
1000011; priority:1;)

The first two seem to work OK, my question on those is whether there is 
a way for them to be more robust, or written in a better way? The third 
one however, does not seem to work at all, and I'm not exactly sure why 
that is. So, there's my problem(s). Any help would be greatly appreciated.

Also, I should mention that my $HOME_NET variable is defined as and $EXTERNAL_NET is set as !$HOME_NET.

Thanks in advance.

More information about the Snort-sigs mailing list