[Snort-sigs] Snort Rule Creation

John G drterdnugget at ...2420...
Tue Jan 31 20:50:15 EST 2017


That is from Sourcefire.  This is what the actual rule looks like now.

alert ip !Source address any <> [All, 8, destination, addresses] any
(sid:1000000; gid:1; msg:"Unwanted Traffic"; classtype:tcp-connection;
rev:5; )

The rule should work right?   Might be an issue with the way our network is
setup and where our ids is located.

On Tue, Jan 31, 2017 at 7:41 PM, Desmond Agee <dezmondagee at ...144...> wrote:

> What program is that a snap-shot of?
>
> Desmond Agee
>
> On Jan 31, 2017, at 8:27 PM, John G <drterdnugget at ...2420...> wrote:
>
> Alright, so this is basically what I did.
>
> Alert ip !SOURCEIP any [8, Destination, IP's] any (msg:”Unauthorized TCP
> traffic initiated”;)
>
> I figured out that you can negate with ! in front of the IP's.  To test
> it, I have been sending ping packets to the destination IP's from a source
> ip address that is NOT what i entered in the Source IP part of the rule.
> However, I am not receiving any alerts.  Do i need to add arguments to look
> for tcp traffic?
>
> On Tue, Jan 31, 2017 at 5:58 PM, John G <drterdnugget at ...2420...> wrote:
>
>> Forgot to attach the screenshot.
>>
>> On Tue, Jan 31, 2017 at 5:09 PM, Joel Esler (jesler) <jesler at ...3865...>
>> wrote:
>>
>>> Maybe something like:
>>>
>>> alert tcp $SOURCEIP any -> ![destip1, destip2, destip3] any
>>> (msg:”Unauthorized TCP traffic initiated”; flags:S; sid:1000000; rev:1;)
>>>
>>>
>>> ?
>>>
>>>
>>> *--*
>>> *Joel Esler *| *Talos:* Manager | jesler at ...3865...
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Jan 31, 2017, at 5:33 PM, John G <drterdnugget at ...2420...> wrote:
>>>
>>> Good Afternoon everyone,
>>>
>>> My name is John and I am starting out with creating Snort rules.  I have
>>> experience using Snort with IDS's such as Sourcefire and Security Onion for
>>> incident response.  However, i don't have much experience creating custom
>>> rules.  Although i once created a rule during one of my security classes
>>> during my undergrad program lol  Anyway, i have been reading documentation
>>> for how to understand/create rules from a variety of sources.  But I wanted
>>> to reach out to you guys and see what information you can provide.
>>>
>>> I have a device that is communicating with about 8 other devices.  I
>>> would like to write a rule that alerts if it detects any communication
>>> outside of those devices.
>>>
>>> Is it possible to list multiple ip addresses within a rule and maybe use
>>> an is not "!=" attribute.
>>>
>>> So something like: alert tcp != sourceip1  80 -> destip1, destip2,
>>> destip3, etc (msg:"Alert Message";)
>>>
>>> I would appreciate any assistance and will continue to do my own
>>> research and see if i can figure it out on my own :)
>>>
>>> Regards,
>>> John
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot______
>>> _________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>> http://www.snort.org
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>> Visit the Snort.org to subscribe to the official Snort ruleset, make
>>> sure to stay up to date to catch the most <a href="
>>> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>>>
>>>
>>>
>>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170131/a7749587/attachment.html>


More information about the Snort-sigs mailing list