[Snort-users] Noob question about different parts of a rule

L. Christopher Luther CLuther at ...6333...
Mon Apr 28 13:53:02 EDT 2003


HOME_NET and EXTERNAL_NET are variables defined in snort.conf -- they're
usually your home network number and the 'outside' network (or !$HOME_NET),
respectively.  

The rule states that any packet originating from the home network using TCP
source ports 12345 or 12346 going to 'any' destination TCP port on the
external network, and contains the text 'NetBus' within the packet data,
should generate an 'alert' telling you that there is NetBus activity on your
home network.  

Pretty simple.  :)  

Cheers!


-----Original Message-----
From: stormshadow [mailto:storm-shadow at ...5068...]
Sent: Monday, April 28, 2003 3:51 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Noob question about different parts of a rule



I was looking at this rule trying to learn what everything in there 
means:
alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR 
netbus active"; flow:from_server,established; content:"NetBus"; 
reference:arachnids,401; classtype:misc-activity; sid:109; rev:4;) 

Can anyone explain this rule to me? I know that there are 3 modes 
right? (alert, log, and something else). What does the $HOME_NET and 
$EXTERNAL_NET mean? Why do you say "any"?

Is this rule stating "alert any traffic outbound from port 12345 and 
123456? 
Confused .
TIA
Storm






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list