[Snort-users] Quick Rule's Question...
hoagland at ...47...
Wed Mar 6 11:02:23 EST 2002
At 1:28 PM -0500 3/6/02, Mark Taber wrote:
>Hi guys, and gals...
>I am having an issue with a web-misc 403 forbidden alert. The alert is
>being triggered on a sensor that is hitting a trusted website. I
>haven't been able to figure out why the machine that the sensor is on is
>trying to hit the website, so I thought that I might be able to write a
>rule to pass that particular IP. I have never written a rule before and
>am not sure that I have written this one right, so I though I would send
>it out to be critiqued. Thanks for the help.....
>(Rule that is in the web-misc file)
>alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-MISC 403
>Forbidden";flags: A+; content:"HTTP/1.1 403"; depth:12;
>classtype:attempted-recon; sid:1201; rev:2;)
>(Rule that I am creating)
>pass tcp $HTTP_SERVERS 80 -> x.x.x.x (IP Of Server on my network)
>(msg:"WEB-MISC 403 Forbidden";flags: A+; content:"HTTP/1.1 403";
>depth:12; classtype:attempted-recon; sid:1201; rev:2;)
>I believe I would need to run snort with the -o switch configured, is
This looks right except that you need to include 'any' or the actual
port number as the destination port in your pass rule.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...47..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users