[Snort-users] Noob question about different parts of a rule
Schmehl, Paul L
pauls at ...6838...
Mon Apr 28 13:20:09 EDT 2003
Here's what the rule means:
If you see any established (flow:from_server_established) tcp (tcp)
traffic from my network ($HOME_NET) coming from ports 12345 or 12346
going to any address not on my network ($EXTERNAL_NET) on any port (any)
with a packet that has the string "NetBus" (content:"NetBus") in it,
send me an alert.
$HOME_NET and $EXTERNAL_NET are variables that *you* must define in the
snort.conf file. One common definition is:
$HOME_NET = 123.456.789.0/24 (your IP range)
$EXTERNAL_NET = !$HOME_NET (not your IP range)
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
> -----Original Message-----
> From: stormshadow [mailto:storm-shadow at ...5068...]
> Sent: Monday, April 28, 2003 2:51 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Noob question about different parts of a rule
> I was looking at this rule trying to learn what everything in there
> alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR
> netbus active"; flow:from_server,established; content:"NetBus";
> reference:arachnids,401; classtype:misc-activity; sid:109; rev:4;)
> Can anyone explain this rule to me? I know that there are 3 modes
> right? (alert, log, and something else). What does the $HOME_NET and
> $EXTERNAL_NET mean? Why do you say "any"?
> Is this rule stating "alert any traffic outbound from port 12345 and
> Confused .
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> Snort-users list archive:
More information about the Snort-users