[Snort-users] Rules question
Gene R. Gomez
ggomez at ...677...
Thu Oct 26 17:51:49 EDT 2000
Rather than the ruleset below, could you do something like:
alert tcp !$HOME_NET any -> $HOME_NET !80 (msg: "TCP access attempt";)
alert udp !$HOME_NET any -> $HOME_NET any (msg: "UDP access attempt";)
Seems easier; of course, you couldn't specify multiple ports to ignore using
my ruleset above, unless they were continuous. I should probably just look
in the documentation, but does snort support something like a !port
From: A.L.Lambert [mailto:alambert at ...387...]
Sent: den 22 oktober 2000 22:14
To: Adrian Asher
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Rules question
> Can you use snort to say
> anything other than
> any any web
> so you input what you expect, and detect the rest?
> In addition to detecting attacks within what is allowed?
tcp !$HOME_NET any -> $HOME_NET :79 (msg: "TCP access attempt";)
tcp !$HOME_NET any -> $HOME_NET 81: (msg: "TCP access attempt";)
tcp !$HOME_NET any -> $HOME_NET any (msg: "UDP access attempt";)
That'll pickup any UDP traffic at all, and TCP traffic from 0-79
and from 81-65535.
You'll want to specify the !$HOME_NET -> $HOME_NET because other
wise the src ports will set off false alarms by the truckload. (because
in a any any <> any any, your webserver will be sending requests to
clients on ports other than 80, thus setting off your snort if you don't
have $HOME_NET's specified as mentioned above).
You'll probably generate a lot more alerts with the above examples
than you want too, but it'll give you someplace to start tweaking from.
More information about the Snort-users