[Snort-sigs] Alerting for traffic in internal network
tah338 at ...3678...
Wed Dec 19 11:02:48 EST 2012
Currently, I'm trying to write some Snort rules for my company. I feel
that these rules should be fairly simple, but I'm running into some
issues with getting them to work properly, and I was wondering if I
could get some assistance, as I am new to Snort and IDS's in general.
Basically, we have a firewall, which to get to, you would need to go
through 2 other systems first. Behind that firewall we have an internal
network. What I need to do are write rules that 1) Alert any time a
system on that inner network makes an outbound connection, 2) Alert any
time there is traffic destined for the network behind the firewall, that
is not SQL Server traffic, and 3) Alert when there is traffic between
systems on the inner network that is not SQL (ssh, rdesktop, etc).
Here are the rules I currently have in place:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outbound connection
from inner network"; sid: 1000009; priority:1;threshold:type threshold,
track by_dst, count 7, seconds 60;)
alert tcp $EXTERNAL_NET !1433 -> $HOME_NET !1433 (msg:"Incoming traffic
that is not SQL Server"; sid: 1000010; priority:1;threshold:type
threshold, track by_src, count 7, seconds 60;)
alert tcp $HOME_NET !1433 <> $HOME_NET !1433 (msg:"Incoming traffic
between machines on internal network that is not SQL Server";sid:
The first two seem to work OK, my question on those is whether there is
a way for them to be more robust, or written in a better way? The third
one however, does not seem to work at all, and I'm not exactly sure why
that is. So, there's my problem(s). Any help would be greatly appreciated.
Also, I should mention that my $HOME_NET variable is defined as
10.10.1.0/20 and $EXTERNAL_NET is set as !$HOME_NET.
Thanks in advance.
More information about the Snort-sigs