[Snort-users] Rule Creation Question !.

Bennett Todd bet at ...6163...
Fri Oct 4 07:48:06 EDT 2002


2002-10-01-10:12:58 Moreno Poli:
> if i have a server with pop3 and smtp services is possible create a rule
> that log all incoming traffic except  traffic for this 2 ports, i know
> that is possible
> create a rule that log all traffic except 1 port , but if the port are
> two or tree is possible ?

There's More Than One Way To Do It, as the perl folks like to say.

You can use a rule to log everything incoming:

	log any any any -> a.b.c.d any

(I think, I haven't done this). a.b.c.d is your server's IP address.
Then you have a choice of ways to make snort ignore incoming pop3
and SMTP. You can use a BPF filter to skip that traffic; that'd
probably be the most efficient mechanism, I think. It'd look
something like

	snort ... 'not (dst port smtp or pop3)'

(untried, I haven't done BPF in a while).

In fact, maybe even more efficient would be to use snort as a pure
sniffer, with nothing but bpf filtering --- or to just use tcpdump
the same way --- that'd be something like

	snort -i eth0 -dbel . \
	  'dst host a.b.c.d and not (dst port smtp or pop3)'

Or equivalently

	tcpdump -i eth0 -w capturefile \
	  'dst host a.b.c.d and not (dst port smtp or pop3)'

Anyway, going back to snort in IDS mode with using log rules, you
could use the above log-everything line, and pass rules to exclude
smtp and pop3. That'd be a conf file like

	pass tcp any any -> any smtp
	pass tcp any any -> any pop3
	log any any any -> a.b.c.d any

Or you could just specify log entries to log everything except the
requested ports; that'd be something like

	log udp any any -> a.b.c.d any
	log icmp any any -> a.b.c.d any
	log tcp any any -> a.b.c.d 1:24
	log tcp any any -> a.b.c.d 26:109
	log tcp any any -> a.b.c.d 111:65535

I'm sure I've forgotten some more ways to do this.

And the above is all untested, so I may have committed typos or
brainos in there:-).

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021004/c9af5cc9/attachment.sig>


More information about the Snort-users mailing list