[Snort-users] Rule question

Bill Marquette wlmarque at ...8...
Mon Jul 17 10:17:41 EDT 2000


Thanks for setting up the new list Marty!  Here's a post to the old list from me
that I know bounced.

--Bill
---------------------- Forwarded by Bill Marquette/National/Hewitt Associates on
07/17/2000 09:17 AM ---------------------------

From: Bill Marquette on 07/14/2000 03:50 PM
      Lincolnshire/98-1E-1

To:   snort at ...9...
cc:
Client:
Subject:  Rule question  (Document link: Database 'Bill Marquette', View
      '($Sent)')


I've been playing around with some scripts to download the rule sets and
accidently triggered snort on my local machine due to the backdoor signature
rules.
[**] BACKDOOR SIGNATURE - SubSeven 2.1 Login Detected! [**] xx.xx.xx.xx:3128 ->
xx.xx.xx.xx:32786 Proto: 6
[**] BACKDOOR SIGNATURE - SubSeven 2.1 FTP Enable from Client [**]
xx.xx.xx.xx:3128 -> xx.xx.xx.xx:32786 Proto: 6
The two following rules correspond to the SubSeven match...
alert tcp any !80 -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - SubSeven 2.1 FTP
Enable from Client"; flags:PA; content:"FTPenable!";)
alert tcp $HOME_NET !80 -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - SubSeven 2.1
Login Detected!"; flags:PA; content:"connected. time/date";)

I totally understand why the rules were matched, we're running squid so I
_could_ just change the rule to be !3128 ($HOME_NET is set to any as that works
the best in our situation).  However, looking at some of the other rules (and at
the rule docs) I see:
alert tcp $HOME_NET !53:80 -> $HOME_NET 5032 (msg:"BACKDOOR SIGNATURE - NetMetro
Outbound Data"; flags:PA;)

The docs state this should be "NOT ports 53 through 80", however this rule seems
like it would make more sense as "NOT (port 80 OR port 53)".  Am I wrong in this
interpretation?  Is there any way to get OR for ports other than to make
duplicate rules?  I'm not adverse to doing duplicate rules if that's the case
although I suspect that I'd still get matches unless the 3128 rule managed to
match first, and then I'd be screwed for any inhouse web servers which I connect
direct to port 80 on.  I'm also not really wanting to have to keep a local set
of the rules just to get around these wierd false positives if I don't need to.
My objective is to fully automate our rule downloads...at least to the point I
can dump them into my package build directory, build, and distribute to all
sensors myself.  I already use pass rules to pass known good traffic through, so
I suppose I can always go that route if needed.

Speaking of pass rules, if I just copy an alert rule and change the type to
pass, do I need to remove the msg part also?  I'd like to make life easy and be
able to have an "ignore" file with all my pass rules in it, but didn't want to
have to write a comment line and then figure out a good way to strip out only
the msg part of the rule before writing it to file.  Anybody else with thoughts
on this?

--Bill







More information about the Snort-users mailing list