[Snort-users] Snort Rule Advise.

Paul Schmehl pauls at ...6838...
Fri Apr 13 11:24:11 EDT 2007


--On Friday, April 13, 2007 15:00:33 +0100 Tony Purdy <tpurdy at ...14103...> 
wrote:
>
> Could someone kindly advise if it is possible to achieve the following
> within a rule.
>
> I am creating rules to trigger when specific words are seen within the
> payload, for example the word ‘ADS’ as below:
>
> alert tcp any any -> any any (msg :"SecureADS"; sid:1000011;
> content:"ADS"; nocase; rev:1;)
>
> But currently it will trigger if it sees NADS for example which is a menu
> option within an SGD environment.
>
> Please advise how I can restrict the rule to trigger when only ADS is
> seen, this can appear anywhere in the payload.
>
The problem is, you can't restrict the rule to ADS unless you use pcre and 
anchor the expression on both sides.  If all you look for is ADS, you're 
going to see it anywhere there's a word that contains ADS in it.  And 
you're using nocase, so it's going to alert on anything with Ads, ADs, aDs, 
aDS, ads, etc.

First you need to tell us exactly what it is you want to alert on.  If it's 
ADS and *only* ADS, then you could do something like this:

alert tcp any any -> any any (msg: "SecureADS"; content:"ADS"; 
pcre:"/^ADS$/"; sid:1000011; rev:1;)

If you're really trying to alert on SecureADS, then you could probably get 
away with only content, since that's unlikely to match anything else.

alert tcp any any -> any any (msg: "SecureADS"; content:"SecureADS"; 
sid:1000011; rev:1;)

But, if you really want useful advice, you need to be more specific.  If 
you have a packet dump you can share, that would help a lot.

Paul Schmehl (pauls at ...6838...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070413/fe1d5fa8/attachment.bin>


More information about the Snort-users mailing list