[Snort-users] Rules question

Gene R. Gomez ggomez at ...677...
Thu Oct 26 17:51:49 EDT 2000

Rather than the ruleset below, could you do something like:

alert tcp !$HOME_NET any -> $HOME_NET !80 (msg: "TCP access attempt";)
alert udp !$HOME_NET any -> $HOME_NET any (msg: "UDP access attempt";)

Seems easier; of course, you couldn't specify multiple ports to ignore using
my ruleset above, unless they were continuous.  I should probably just look
in the documentation, but does snort support something like a !port


-----Original Message-----
From: A.L.Lambert [mailto:alambert at ...387...]
Sent: den 22 oktober 2000 22:14
To: Adrian Asher
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Rules question

> Can you use snort to say
>  anything other than
>  any any web
>  so you input what you expect, and detect the rest?
>  In addition to detecting attacks within what is allowed?
>  Thanks
>  Adrian

tcp !$HOME_NET any -> $HOME_NET :79 (msg: "TCP access attempt";)
tcp !$HOME_NET any -> $HOME_NET 81: (msg: "TCP access attempt";)
tcp !$HOME_NET any -> $HOME_NET any (msg: "UDP access attempt";)

	That'll pickup any UDP traffic at all, and TCP traffic from 0-79
and from 81-65535.

	You'll want to specify the !$HOME_NET -> $HOME_NET because other
wise the src ports will set off false alarms by the truckload.  (because
in a any any <> any any, your webserver will be sending requests to
clients on ports other than 80, thus setting off your snort if you don't
have $HOME_NET's specified as mentioned above).

	You'll probably generate a lot more alerts with the above examples
than you want too, but it'll give you someplace to start tweaking from.  

-- A.L.Lambert

More information about the Snort-users mailing list