[Snort-users] reference port data in rule msg

Stephen Gill gillsr at ...131...
Tue Mar 19 20:19:02 EST 2002


Hi all,
Does anyone know if there is a way to reference the actual tcp/udp port
and/or other information of a packet when it matches a particular rule
(ie.  protocol, etc.)?  I would like to configure a snort rule with a
dynamic text message based on the actual port that is being probed.  I
would like all traffic destined to a particular IP address to be logged
as a probe along with the actual port and protocol information in the
text field.  

What might be the best way of accomplishing this?  
 
Instead of: 
alert tcp $EXTERNAL_NET any -> $FAKE_NET 1 (msg:"Probe 1 /
tcp";classtype:bad-unknown; sid:9990; rev:1;)
alert udp $EXTERNAL_NET any -> $FAKE_NET 1 (msg:"Probe 1 /
udp";classtype:bad-unknown; sid:9991; rev:1;)
alert tcp $EXTERNAL_NET any -> $FAKE_NET 2 (msg:"Probe 2 /
tcp";classtype:bad-unknown; sid:9993; rev:1;)
alert udp $EXTERNAL_NET any -> $FAKE_NET 2 (msg:"Probe 2 /
udp";classtype:bad-unknown; sid:9994; rev:1;)
.
(as you can see this can become quite tedious and would generate a lot
of unnecessary rules).
 
I need something like:
alert tcp $EXTERNAL_NET any -> $FAKE_NET :1024 (msg:"Probe $PORT /
tcp";classtype:bad-unknown; sid:9990; rev:1;)
alert udp $EXTERNAL_NET any -> $FAKE_NET :1024 (msg:"Probe $PORT /
udp";classtype:bad-unknown; sid:9991; rev:1;)
 
One possibility is to configure the above rules to LOG, and then use a
parser to create my own customized messages and forward them along but
it would seem like a big waste if this can be done inside of snort.
 
Any advice would be greatly appreciated.
 
Thanks!
-- steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020319/0cc3de48/attachment.html>


More information about the Snort-users mailing list