[Snort-sigs] Snort rule help

Control Sec controlsecengineer at gmail.com
Tue Feb 12 11:29:52 EST 2019


Requesting some snort rule help.  I have 2 machines. Each are both servers to each other and other common clients.  Unfortunately, because they are servers for each other for the same application they call each other on the same listing port. 
Ex. (port # changed for privacy)
In some sessions, Server 1 requests data from Server 2 on the listening port 1234
In other sessions, Server 2 requests data from Server 2 on the listening port 1234
Both have clients on the network that request data on the listening port 1234, as well.
I am trying to write a rule that says “if server1, server2 are talking to anyone not on port 1234 alert.  Problem is because the two servers talk to each other on that port, they are firing because of the ephemeral port in the session.  Here is a copy of the rule.
alert tcp [$SERVERS] any -> [$SERVERS] !1234 (msg:"SERVER talking to each other on unexpected port"; flow:to_server; threshold:type limit, track by_src, count 1, seconds 3600; sid:xxxxxxxx;rev:1)
Where $SERVERS are in snort.conf and includes server1 & server2
I thought that “flow:to_server” would cover me, but no luck. Any thoughts?

Sent from my iPhone

More information about the Snort-sigs mailing list