[Snort-users] Rule question

Martin Roesch roesch at ...1...
Mon Jul 17 15:58:27 EDT 2000


Bill Marquette wrote:
> 
> I've been playing around with some scripts to download the rule sets and
> accidently triggered snort on my local machine due to the backdoor signature
> rules.
> [**] BACKDOOR SIGNATURE - SubSeven 2.1 Login Detected! [**] xx.xx.xx.xx:3128 ->
> xx.xx.xx.xx:32786 Proto: 6
> [**] BACKDOOR SIGNATURE - SubSeven 2.1 FTP Enable from Client [**]
> xx.xx.xx.xx:3128 -> xx.xx.xx.xx:32786 Proto: 6
> The two following rules correspond to the SubSeven match...
> alert tcp any !80 -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - SubSeven 2.1 FTP
> Enable from Client"; flags:PA; content:"FTPenable!";)
> alert tcp $HOME_NET !80 -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - SubSeven 2.1
> Login Detected!"; flags:PA; content:"connected. time/date";)
> 
> I totally understand why the rules were matched, we're running squid so I
> _could_ just change the rule to be !3128 ($HOME_NET is set to any as that works
> the best in our situation).  However, looking at some of the other rules (and at
> the rule docs) I see:
> alert tcp $HOME_NET !53:80 -> $HOME_NET 5032 (msg:"BACKDOOR SIGNATURE - NetMetro
> Outbound Data"; flags:PA;)
> 
> The docs state this should be "NOT ports 53 through 80", however this rule seems
> like it would make more sense as "NOT (port 80 OR port 53)".  Am I wrong in this
> interpretation?  Is there any way to get OR for ports other than to make
> duplicate rules?  I'm not adverse to doing duplicate rules if that's the case
> although I suspect that I'd still get matches unless the 3128 rule managed to
> match first, and then I'd be screwed for any inhouse web servers which I connect
> direct to port 80 on.  I'm also not really wanting to have to keep a local set
> of the rules just to get around these wierd false positives if I don't need to.
> My objective is to fully automate our rule downloads...at least to the point I
> can dump them into my package build directory, build, and distribute to all
> sensors myself.  I already use pass rules to pass known good traffic through, so
> I suppose I can always go that route if needed.

I'd use pass rules.  We'll (hopefully) be adding more and better logic to the
IP and port specifiers in version 1.7.

> Speaking of pass rules, if I just copy an alert rule and change the type to
> pass, do I need to remove the msg part also?  I'd like to make life easy and be
> able to have an "ignore" file with all my pass rules in it, but didn't want to
> have to write a comment line and then figure out a good way to strip out only
> the msg part of the rule before writing it to file.  Anybody else with thoughts
> on this?

You can do this.  Leaving the message there is fine, it'll just be ignored.

-- 
Martin Roesch                      <roesch at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management




More information about the Snort-users mailing list