[Snort-sigs] rule exclusion by content

lravelo at us.hellmann.net lravelo at us.hellmann.net
Thu Jul 13 12:06:47 EDT 2017


That's exactly what I was looking for.  Thanks for the info.

Regards,

Lazaro Ravelo
ISS Systems Engineer II

Hellmann Worldwide Logistics Inc.
10450 Doral Blvd
Doral, FL  33178
Phone:  +1 305 406 4500
Fax:  +1 305 418 4992
Direct:  +1 305 406 4574
Mobile:  +1 305 927 1386
Email:  Lazaro.Ravelo at us.hellmann.net
Web:  www.hellmann.com
 
THINKING AHEAD - MOVING FORWARD




From:   "Al Lewis (allewi)" <allewi at cisco.com>
To:     "lravelo at us.hellmann.net" <lravelo at us.hellmann.net>, 
"snort-sigs at lists.snort.org" <snort-sigs at lists.snort.org>
Date:   07/13/2017 11:58 AM
Subject:        Re: [Snort-sigs] rule exclusion by content



You can negate content:

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION00451000000000000000

Taken from the “note” section

Note:   
A ! modifier negates the results of the entire content search, modifiers 
included. For example, if using content:!"A"; within:50; and there are 
only 5 bytes of payload and there is no "A" in those 5 bytes, the result 
will return a match. If there must be 50 bytes for a valid match, use 
isdataat as a pre-cursor to the content.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com 

From: Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of "
lravelo at us.hellmann.net" <lravelo at us.hellmann.net>
Date: Thursday, July 13, 2017 at 11:52 AM
To: "snort-sigs at lists.snort.org" <snort-sigs at lists.snort.org>
Subject: [Snort-sigs] rule exclusion by content

Good morning, 

I have this rule which generates way too many alerts in squert:

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS TMG 
Firewall Client long host entry exploit attempt"; sid:19187; gid:3; rev:7; 
classtype:attempted-user; reference:cve,2011-1889; 
reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-040; 
metadata: engine shared, soid 3|19187, policy max-detect-ips drop;) 

we use OpenDNS in our environment and it seems like every single alert 
contains "opendns" somewhere in the content.  I'm sure there's a way to 
adjust or create another rule which negates the alert if the payload 
contains the word "opendns" but I've not seen any examples of this online. 
 Any help is appreciated :-)

Regards,

Lazaro Ravelo
ISS Systems Engineer II

Hellmann Worldwide Logistics Inc.
10450 Doral Blvd 
Doral, FL  33178
Phone:  +1 305 406 4500
Fax:  +1 305 418 4992
Direct:  +1 305 406 4574
Mobile:  +1 305 927 1386
Email:  Lazaro.Ravelo at us.hellmann.net
Web:  www.hellmann.com

THINKING AHEAD - MOVING FORWARD 

07/13/2017----11:43:39 AM


>Disclaimer: Please note that Internet communications are not secure and 
therefore HELLMANN WORLDWIDE LOGISTICS does not accept legal 
responsibility for the contents of this message. This e-mail is intended 
only for the use of the individual or entity named above and may contain 
information that is confidential and privileged. If you are not the 
intended recipient, you are hereby notified that any dissemination, 
distribution or copying of this e-mail is strictly prohibited. Opinions, 
conclusions and other information in this message that do not relate to 
the official business of HELLMANN WORLDWIDE LOGISTICS shall be understood 
as neither given nor endorsed by it. Viruses: HELLMANN WORLDWIDE LOGISTICS 
takes all possible steps to ensure that emails are virus free, but does 
not accept any liability or responsibility whatsoever for any claims, 
losses or damages arising as a result of any party accessing this email or 
files attached to it.


07/13/2017----11:58:00 AM



>Disclaimer: Please note that Internet communications are not secure and 
therefore HELLMANN WORLDWIDE LOGISTICS does not accept legal 
responsibility for the contents of this message. This e-mail is intended 
only for the use of the individual or entity named above and may contain 
information that is confidential and privileged. If you are not the 
intended recipient, you are hereby notified that any dissemination, 
distribution or copying of this e-mail is strictly prohibited. Opinions, 
conclusions and other information in this message that do not relate to 
the official business of HELLMANN WORLDWIDE LOGISTICS shall be understood 
as neither given nor endorsed by it. Viruses: HELLMANN WORLDWIDE LOGISTICS 
takes all possible steps to ensure that emails are virus free, but does 
not accept any liability or responsibility whatsoever for any claims, 
losses or damages arising as a result of any party accessing this email or 
files attached to it.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170713/beff5e96/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 18000 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170713/beff5e96/attachment.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 18000 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170713/beff5e96/attachment-0001.jpe>


More information about the Snort-sigs mailing list