[Snort-users] Rules question

Erik Engberg Erik.Engberg at ...511...
Mon Oct 23 07:16:34 EDT 2000

If any traffic besides web (or the rest you expect, ftp, https, smtp etc)
shouldn´t be allowed I recommend you filter it out with firewalls or router
It will be VERY tedious to have alarms go off whenever "normal" traffic
occurs that is allowed by filters but not by policy.

Of course there is nothing saying you can´t do both if you want to be
paranoid ;)

btw, I guess there´s a typo on 3rd rule there. First word should be udp
(instead of tcp).

-----Original Message-----
From: A.L.Lambert [mailto:alambert at ...387...]
Sent: den 22 oktober 2000 22:14
To: Adrian Asher
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Rules question

> Can you use snort to say
>  anything other than
>  any any web
>  so you input what you expect, and detect the rest?
>  In addition to detecting attacks within what is allowed?
>  Thanks
>  Adrian

tcp !$HOME_NET any -> $HOME_NET :79 (msg: "TCP access attempt";)
tcp !$HOME_NET any -> $HOME_NET 81: (msg: "TCP access attempt";)
tcp !$HOME_NET any -> $HOME_NET any (msg: "UDP access attempt";)

	That'll pickup any UDP traffic at all, and TCP traffic from 0-79
and from 81-65535.

	You'll want to specify the !$HOME_NET -> $HOME_NET because other
wise the src ports will set off false alarms by the truckload.  (because
in a any any <> any any, your webserver will be sending requests to
clients on ports other than 80, thus setting off your snort if you don't
have $HOME_NET's specified as mentioned above).

	You'll probably generate a lot more alerts with the above examples
than you want too, but it'll give you someplace to start tweaking from.  

-- A.L.Lambert

Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list