R: [Snort-users] Rule Creation Question !.

Michael Boman michael at ...3137...
Wed Oct 2 07:46:24 EDT 2002


On Wed, Oct 02, 2002 at 12:09:14PM +0200, Moreno Poli wrote:
> Is not easy becouse online I have one web server , one mail server ,one
> proxy server and one snort pc.
> 
> I want  to be shure that to mail server arrive only tcp/25 and tcp/110
> traffic , to web server arrive only tcp/80 and tcp/443 traffic , but
> also I want  use all other rules for controll proxy traffic and  http,
> smtp , and pop3 traffic. 
> 
> 
> Ps- I'm not a  C Programmer.
> 
> Best Regards
> 
> Moreno Poli

You don't need to know C programming to use bpf filters...


This is what I can come up with:

ignore.bpf:

not (host $MAILSERVER and proto tcp and (port 25 or port 110)) and \
not (host $WEBSERVER and proto tcp and (port 80 or port 443)) and  \
not (host $PROXYSERVER and proto tcp and port $PROXYPORT)


local.rules:
log ip any any <> any any (msg:"Bad stuff";)

Start with (add other options as you see fit):
snort -F ignore.bpf -c snort.conf


DISCLAIMER: 
Wrote everything from the top of my head and is provided AS-IS. Please
double-check with the manual page for 'tcpdump' regarding the BPF
stuff.. Sitting in the wrong OS to be really helpful.. And don't foget
to change the $VALUES for the real stuff...


Best regards
 Michael Boman


> 
> -----Messaggio originale-----
> Da: Michael Boman [mailto:michael at ...3137...] 
> Inviato: mercoledì 2 ottobre 2002 3.23
> A: Moreno Poli
> Cc: snort-users at lists.sourceforge.net
> Oggetto: Re: [Snort-users] Rule Creation Question !.
> 
> 
> On Tue, Oct 01, 2002 at 04:39:34PM +0200, Moreno Poli wrote:
> > if i have a server with pop3 and smtp services, is possible create a 
> > rule that log all incoming traffic except  traffic for this 2 ports, i
> 
> > know that is possible create a rule that log all traffic except 1 port
> 
> > , but if the port are two or tree is possible ?
> >  
> >  
> > Moreno Poli
> 
> Yes, use bpf filters:
> 
> not port 25 and not port 110
> 
> 
> Then you can ask snort to log everything, as it's totaly blind about
> SMTP and POP3 traffic (never gets them).
> 
> 'man tcpdump' will tell you how to write bpf filters, and snort manpage
> will tell you how to use them.
> 
> Best regards
>  Michael Boman
> 
> -- 
> Michael Boman
> Student, Husband, Geek. Not necessary in that order thought.
> 
> 

-- 
Michael Boman
Student, Husband, Geek. Not necessary in that order thought.





More information about the Snort-users mailing list