[Snort-users] newbie-writing rules help

Matt Kettler mkettler at ...4108...
Mon Jul 22 14:26:03 EDT 2002


Snort does not currently support this kind of comma-delimited port list.

I can see two ways to handle your problem

1) use pass rules to pass port 23, 80, and 8000-8003 then a blanket alert 
that picks up anything. You'll also need to change the rule ordering with a 
command line parameter.

2) use a couple of port-ranged rules (probably simpler to set up, might be 
less efficient):
alert tcp any any -> <SERVER IP> [1-22] (msg:"Er";)
alert tcp any any -> <SERVER IP> [24-79] (msg:"Er";)
alert tcp any any -> <SERVER IP> [81-8000] (msg:"Er";)
alert tcp any any -> <SERVER IP> [8004-65535] (msg:"Er";)

Note that you do NOT want "any" for the destination IP, since the outbound 
traffic from your webserver would trigger the rule (it would be from port 
80, to an outside machine on some random port >1024, so any time anyone 
accessed your website it would go off for all of the response traffic).

You might also want to consider adding a flags:S+, so that only the syn 
sequence sets it off.

I also take it that the server in question is not allowed to act as a 
client and browse web pages on the outside, download files, etc.



At 01:38 PM 7/22/2002 -0700, charella constansia wrote:
>hai,
>
>I hav a question! I'm a newbie so maybe this sounds
>like a stupid question to you but please help me.
>
>I want to write some rules.
>I problem is that I have a server and only certain
>activities are allowed.
>
>For example only traffic from the outside going to
>port :80,23,8000,8001,8002 and a few more are allowed.
>How must I define this;
>I thought of:
>alert tcp any anu -> any 1[80,23,8000,8001,8002]
>(msg:"Er";)
>Is this good. I looked in the Snort users manual but I
>couldn't find the answer.
>
>Thanks, I hope that somebody can help me.
>
>sharella at ...131...
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Health - Feel better, live better
>http://health.yahoo.com
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list