[Snort-users] help writing snort rule

Bill Lopez Bill at ...14048...
Fri Jan 26 18:39:14 EST 2007

#   http://www.snort.org     Snort Ruleset
#     Contact: snort-sigs at lists.sourceforge.net
# $Id$
# Set up the external network addresses as well.  A good start may be

var RULE_PATH /etc/snort/rules

preprocessor flow: stats_interval 0 hash 2

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies

preprocessor stream4: disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor ftp_telnet: global \
   encrypted_traffic yes \
   inspection_type stateful

preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200

preprocessor ftp_telnet_protocol: ftp server default \
   def_max_param_len 100 \
   alt_max_param_len 200 { CWD } \
   cmd_validity MODE < char ASBCZ > \
   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
   telnet_cmds yes \

preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes

preprocessor smtp: \
  ports { 25 } \
  inspection_type stateful \
  normalize cmds \
  normalize_cmds { EXPN VRFY RCPT } \
  alt_max_command_line_len 260 { MAIL } \
  alt_max_command_line_len 300 { RCPT } \
  alt_max_command_line_len 500 { HELP HELO ETRN } \
  alt_max_command_line_len 255 { EXPN VRFY }

# is the local machine
preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low } \
                         ignore_scanners { }

preprocessor dcerpc: \
    autodetect \
    max_frag_size 3000 \
    memcap 100000

preprocessor dns: \
    ports { 53 } \

include classification.config
include reference.config
include $RULE_PATH/BILL.rules

Snort command line to start 

/usr/sbin/snort -A console -l /var/log/snort/ -h \ 
-c /etc/snort/snort.conf


alert tcp $HOME_NET any -> any any \
    (pcre:"/ \d{3}(|-)\d{2}(|-)\d{4} /"; msg:"SSN Detected in Clear \
    Text-Bill's Rule"; sid: 1000004; )

alert udp $HOME_NET any -> any any \
    (pcre:"/ \d{3}(|-)\d{2}(|-)\d{4} /"; msg:"SSN Detected in Clear \
    Text-Bill's Rule"; sid: 1000005; )

alert tcp $HOME_NET any -> any any \
    (pcre:"/ \d\d\d-\d\d-\d\d\d\d /"; msg:"SSN Detected in Clear \
    Text-Lou's Rule"; sid: 1000007; )

alert udp $HOME_NET any -> any any \
    (pcre:"/ \d\d\d-\d\d-\d\d\d\d /"; msg:"SSN Detected in Clear \
    Text-Lou's Rule"; sid: 1000008; )


Still no alert with an e-mail containing 555-55-5555 in the body or

Bill Lopez

Operating Engineers Trust Funds

(626) 356-3524

(626) 255-1066

-----Original Message-----
From: Blake Hartstein [mailto:bhartstein at ...4451...] 
Sent: Friday, January 26, 2007 11:48 AM
To: Bill Lopez
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] help writing snort rule

Bill Lopez wrote:
> which doesn't produce an alert either - eventually I want to apply 
> this filter to just traffic from/to mail , telnet, ftp (etc) servers -

> I can send any variance of xxx-xx-xxxx, xxxxxxxx or xxx xx xxxx via an

> e-mail, text file attachment or file upload and still never see an 
> alert to the console. I have a simple rule to check for content using 
> a keyword and get alerted when sending that keyword with e-mail, 
> attachment and file upload (this was my test to see if snort was 
> actually alerting correctly) I am only running my test rules with an 
> out of the box snort.conf file.
> Why wouldn't either of the above rules alert with (for example) an 
> e-mail sent with 555-55-5555 in the body?
Can you please paste how you are running snort on the command line, and 
if you changed anything in your snort.conf please post that information

This type of traffic should be seen by snort and the rules you created 
should alert.

Perhaps, snort isn't seeing the traffic you are expecting,

try running
# snort -vde -i eth0

to see what snort sees.

or if you are running from a pcap you might need to use
config checksum_mode: none
If you captured the file from the localhost.

Also, which port is this traffic intended for?
You might need to configure your flow_depth on http_inspect if you are 
seeing this deep within the packet, rather than just in the headers.


This email and any files transmitted with it are solely intended for the
use of the addressee(s) and may contain information that is confidential
and privileged.  If you receive this email in error, please advise us by
return email immediately. Please also disregard the contents of the
email, delete it and destroy any copies immediately.  Demarc Security,
Inc. does not accept liability for the views expressed in the email or
for the consequences of any computer viruses that may be transmitted
with this email.

This email is also subject to copyright. No part of it should be
reproduced, adapted or transmitted without the written consent of the
copyright owner.

More information about the Snort-users mailing list