[Snort-users] rule question

Frank Knobbe FKnobbe at ...649...
Thu Apr 25 15:00:02 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Taylor Lewick [mailto:Taylor.Lewick at ...5541...]
> Sent: Thursday, April 25, 2002 4:09 PM
> 
> How do I rewrtie the following rule to either not alert the 
> following message from a given ip to a given ip...  
> I checked the documentation and the thing Im not sure about 
> is the  $HOME_NET and $EX_NET variables in place of any...  
> ie, How would I say, alert on anything from my $EXTERNAL_NET 
> going to my $HOME_NET, unless it comes from 100.100.100.4 
> going to 100.100.100.5
> 
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE 
> x86 setgid 0"; content "|b0b5 cd80|";blah blah blah;)
> 
> would I write..
> 
> alert ip !100.100.100.4 $EXTERNAL_NET -> !100.100.100.5 
> $HOME_NET (msg:"SHELLCODE x86 setgid 0"; content "|b0b5 
> cd80|"; blah blah blah;)


Nope, you would write:

pass ip 100.100.100.4 any -> 100.100.100.5 any (msg:"SHELLCODE x86
setgid 0"; content "|b0b5 cd80|";blah blah blah;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86
setgid 0"; content "|b0b5 cd80|";blah blah blah;)

Stick the pass into a file called pass.rules and include that in
snort.conf. Make sure you start Snort with the -o option turned on.

This will cause Snort to pass all packets matching this rule (only
between those two IP's), but alert on anything else.

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBPMh8JMzYtOFvgXQfEQKGnQCg6YCBKVV/7miX0l2eEdaZ6R5mrJUAnjGx
VYvcQrHnhjMFNh7ItQsFr7W9
=EyvE
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list