[Snort-users] rule problem

alim at ...2196... alim at ...2196...
Fri Jun 8 03:06:24 EDT 2001


Hi,

I have several questions to ask. Please bear with me coz I'm a new user of
snort.  I know that this is a powerful tool but i dont know yet how to
manipulate it.  When I'm running snort I'm getting this error message

Port value missing in rule.

Supposed that I want to run it with scan rule

alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN Proxy
attempt";flags:S;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy
attempt";flags:S;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"INFO - Possible Squid
Scan"; flags:S;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg: "SCAN - portmap
listing 32771"; flags: A+; rpc: 100000,*,*; reference:arachnids,429;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - wayboard request -
allows reading of arbitrary files as http service"; content:"way-board";
nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - palscgi request -
allows reading of arbitrary files as http service"; content:"pals-cgi";
nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - commerce request -
allows reading of arbitrary files as http service"; content:"commerce.cgi";
nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - sendtemp request -
allows reading of arbitrary files as http service"; content:"sendtemp.pl";
nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - webspirs request -
allows reading of arbitrary files as http service"; content:"webspirs.cgi";
nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - tstisapi request -
allows arbitrary commands as http service"; content:"tstisapi.dll";
nocase;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SCAN - Named probe
authors"; content: "|07|authors|04|bind"; depth: 26; offset: 12; nocase;
reference:arachnids,480;)
alert tcp $HOME_NET 31337 -> $EXTERNAL_NET 80 (msg:"SCAN synscan
microsoft"; id: 39426; flags: SF;reference:arachnids,459;)
alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"SCAN trojan
hack-a-tack probe"; content: "A"; depth: 1;  reference:arachnids,314;
flags:A+;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN
ssh-research-scanner"; flags: FPA; content:"/00 00 00 60 00 00 00 00 00 00
00 00 01 00 00 00/";)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan";
id: 39426; flags: SF;reference:arachnids,441;)
alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; ttl:
>220; ack: 0; flags: S;reference:arachnids,439;)
alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout";
content: "|8007 0000 0700 0004 0000 0000 00|";reference:arachnids,408;)
alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb";
content:"cybercop"; reference:arachnids,363;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP cybercop scan
ehlo";flags: A+; content:"ehlo cybercop|0a|quit|0a|";
reference:arachnids,372;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP cybercop scan
expn";flags: A+; content:"expn cybercop"; reference:arachnids,371;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner
UDP Probe"; content: "|0A 68 65 6C 70 0A 71 75 69 74
0A|";reference:arachnids,308;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version";
flags: A+; content: "VERSION|0A|"; depth: 16;reference:arachnids,303;)
alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda
client version"; content:"Amanda"; nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os probe";
content: "AAAAAAAAAAAAAAAA"; flags: SFU12; ack: 0; depth: 16;
reference:arachnids,150;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe";
flags: SF12; dsize: 0; reference:arachnids,146;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os probe";
content: "AAAAAAAAAAAAAAAA"; flags: PA12; depth: 16;
reference:arachnids,149;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN";flags:SF;
reference:arachnids,198;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint
attempt";flags:SFPU; reference:arachnids,05;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL";flags:0;
seq:0; ack:0; reference:arachnids,4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS";flags:SRAFPU;
reference:arachnids,144;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap
TCP";flags:A;ack:0; reference:arachnids,28;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags: F;
reference:arachnids,27;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN IP Eye SYN Scan";
flags: S; seq: 1958810375; reference:arachnids,236;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Synscan Portscan ID
19104"; id: 19104; flags: S; reference: arachnids,521;)


What value should I put to replace EXTERANAL_NET , HOME_NET and SMTP?

Can I put a value that can scan all the ports? e.g 192.154.1.0 will scan
192.154.1.0-192.154.1.255.
Or what value should I put to replace EXTERNAL_NET to scan all the possible
attacks or the likes.

Hope to hear from you guys!


- arthus

-





More information about the Snort-users mailing list