[Snort-users] general custom rules questions

Jim Forster jforster at ...176...
Thu Feb 28 14:15:07 EST 2002


---==On Thu, 28 Feb 2002 16:31:58 -0500, Basil Saragoza wrote==---
>1. If I want to create my own rules then should I place it in the
>local.rules file or create my own file? (And then use snort -o)
Yes, that's why I added them. - just easier when you update your ruleset to know they won't be overwritten.
(I have now changed it to mylocal.rules for my systems, so installing a new set won't touch my files with the 'default' empty one)

>2. As to the flexresp rules...I understand it is quite dangerous and it can
>cause more harm than good....is there any tutorial or user archive for
>custom written rules?
Flex drops the request, not necessarily the connection.
I make a request for "welcome.html" ok
I make a request for "cmd.exe" a TCP RST is sent
I make a request for "welcome2.html" ok
No firewall rules are changed/added and no black holing of the attacker occurs.

>3. Let's say I created a flexresp rule for some annoying hostile
>connection,
>O.K., now it's dropped. Then hacker figures out what is going on and
>spoofs
>his address to novell.com address, then I can't block it cause I
You block by the packet content.  This would just mean he couldn't pretend to be from novell and attack you either.  :)

I've had mixed luck with flexresp, from what you've said here, Hogwash may actually be what you're looking for.
--------------------------------------------------------------------
Sleep: A completely inadequate substitute for caffeine.

Jim Forster, jforster at ...176... on 02/28/2002
Network Administrator
RapidNet, A Golden West Company






More information about the Snort-users mailing list