[Snort-sigs] Snort Rule Creation

John G drterdnugget at ...2420...
Tue Jan 31 21:04:52 EST 2017


Hey Joel.  Yes I do.  I just left is an "any" because i was trying
everything to get it to alert lol But we are thinking that the issue is not
rule related.

On Tue, Jan 31, 2017 at 7:57 PM, Joel Esler (jesler) <jesler at ...3865...>
wrote:

> You know you can do ![80,443] as ports right?
>
> --
> Sent from my iPhone
>
> On Jan 31, 2017, at 8:50 PM, John G <drterdnugget at ...2420...> wrote:
>
> That is from Sourcefire.  This is what the actual rule looks like now.
>
> alert ip !Source address any <> [All, 8, destination, addresses] any
> (sid:1000000; gid:1; msg:"Unwanted Traffic"; classtype:tcp-connection;
> rev:5; )
>
> The rule should work right?   Might be an issue with the way our network
> is setup and where our ids is located.
>
> On Tue, Jan 31, 2017 at 7:41 PM, Desmond Agee <dezmondagee at ...144...>
> wrote:
>
>> What program is that a snap-shot of?
>>
>> Desmond Agee
>>
>> On Jan 31, 2017, at 8:27 PM, John G <drterdnugget at ...2420...> wrote:
>>
>> Alright, so this is basically what I did.
>>
>> Alert ip !SOURCEIP any [8, Destination, IP's] any (msg:”Unauthorized TCP
>> traffic initiated”;)
>>
>> I figured out that you can negate with ! in front of the IP's.  To test
>> it, I have been sending ping packets to the destination IP's from a source
>> ip address that is NOT what i entered in the Source IP part of the rule.
>> However, I am not receiving any alerts.  Do i need to add arguments to look
>> for tcp traffic?
>>
>> On Tue, Jan 31, 2017 at 5:58 PM, John G <drterdnugget at ...2420...> wrote:
>>
>>> Forgot to attach the screenshot.
>>>
>>> On Tue, Jan 31, 2017 at 5:09 PM, Joel Esler (jesler) <jesler at ...3865...>
>>> wrote:
>>>
>>>> Maybe something like:
>>>>
>>>> alert tcp $SOURCEIP any -> ![destip1, destip2, destip3] any
>>>> (msg:”Unauthorized TCP traffic initiated”; flags:S; sid:1000000; rev:1;)
>>>>
>>>>
>>>> ?
>>>>
>>>>
>>>> *--*
>>>> *Joel Esler *| *Talos:* Manager | jesler at ...3865...
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Jan 31, 2017, at 5:33 PM, John G <drterdnugget at ...2420...> wrote:
>>>>
>>>> Good Afternoon everyone,
>>>>
>>>> My name is John and I am starting out with creating Snort rules.  I
>>>> have experience using Snort with IDS's such as Sourcefire and Security
>>>> Onion for incident response.  However, i don't have much experience
>>>> creating custom rules.  Although i once created a rule during one of my
>>>> security classes during my undergrad program lol  Anyway, i have been
>>>> reading documentation for how to understand/create rules from a variety of
>>>> sources.  But I wanted to reach out to you guys and see what information
>>>> you can provide.
>>>>
>>>> I have a device that is communicating with about 8 other devices.  I
>>>> would like to write a rule that alerts if it detects any communication
>>>> outside of those devices.
>>>>
>>>> Is it possible to list multiple ip addresses within a rule and maybe
>>>> use an is not "!=" attribute.
>>>>
>>>> So something like: alert tcp != sourceip1  80 -> destip1, destip2,
>>>> destip3, etc (msg:"Alert Message";)
>>>>
>>>> I would appreciate any assistance and will continue to do my own
>>>> research and see if i can figure it out on my own :)
>>>>
>>>> Regards,
>>>> John
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot______
>>>> _________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>
>>>> http://www.snort.org
>>>>
>>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>>
>>>> Visit the Snort.org to subscribe to the official Snort ruleset, make
>>>> sure to stay up to date to catch the most <a href="
>>>> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>>>>
>>>>
>>>>
>>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>> http://www.snort.org
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>> Visit the Snort.org to subscribe to the official Snort ruleset, make
>> sure to stay up to date to catch the most <a href="
>> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170131/efaba49c/attachment.html>


More information about the Snort-sigs mailing list