[Snort-users] Question on port lists and negation

Matthew Watchinski mwatchinski at ...1935...
Mon Oct 8 17:49:09 EDT 2007


Richard Bejtlich wrote:
> Hello,
> 
> As I mentioned to roesch and WuTang in IRC, I am playing with port
> lists and negation.
> 
> Say I create this snort.conf:
> 
> portvar MY_HTTP_PORTS [80,81,82,83,88,8000,8008,8080]
> alert tcp any any -> any !$MY_HTTP_PORTS (msg:"Example Not"; sid:4;)
> 
> To test this variable and rule I use Netcat:
> 
> $ nc -v 192.168.2.103 8000
> nc: connect to 192.168.2.103 port 8000 (tcp) failed: Connection refused
> 
> Netcat generates this traffic.
> 
> 16:52:32.370899 IP 192.168.2.105.50970 > 192.168.2.103.8000:
>  S 3574479912:3574479912(0) win 65535
>  <mss 1460,nop,wscale 1,nop,nop,timestamp 2620575 0,sackOK,eol>
> 
> 16:52:32.370903 IP 192.168.2.103.8000 > 192.168.2.105.50970:
>  R 0:0(0) ack 3574479913 win 0
> 
> Snort reports these alerts.
> 
> 10/08-16:56:26.358386  [**] [1:4:0] Example Not [**] [Priority: 0]
> {TCP} 192.168.2.105:50970 -> 192.168.2.103:8000
> 10/08-16:56:26.358527  [**] [1:4:0] Example Not [**] [Priority: 0]
> {TCP} 192.168.2.103:8000 -> 192.168.2.105:50970
> 
> That doesn't look right.  Why did the first alert fire?  You do not
> want to see traffic to port 8000 TCP, yet you got an alert.  The
> second alert fired because the RST ACK was sent to port 50970 TCP,
> which is not in the port variable list.
> 

portvar MY_HTTP_PORTS [80,81,82,83,88,8000,8008,8080]
alert tcp any any -> any !$MY_HTTP_PORTS (msg:"Example Not";
flow:to_server,established; sid:4;)

it'll work as expected then.

It alerts because

192.168.2.105:50970 -> 192.168.2.103:8000
is no different than
192.168.2.103:8000 -> 192.168.2.105:50970

cause you are running with any any -> any !PORTS

any any matches both 192.168.2.105:50970 -> 192.168.2.103:8000
and 192.168.2.103:8000 -> 192.168.2.105:50970


> Let's try another angle in a new snort.conf.
> 
> portvar NOT_MY_HTTP_PORTS [!80,!81,!82,!83,!88,!8000,!8008,!8080]
> alert tcp any any -> any $NOT_MY_HTTP_PORTS (msg:"Example Not"; sid:5;)
> 
> Again use Netcat to generate traffic.
> 
> $ nc -v 192.168.2.103 8000
> nc: connect to 192.168.2.103 port 8000 (tcp) failed: Connection refused
> 
> It looks like this.
> 
> 16:56:11.091099 IP 192.168.2.105.53298 > 192.168.2.103.8000:
>  S 2235929694:2235929694(0) win 65535
>  <mss 1460,nop,wscale 1,nop,nop,timestamp 2642448 0,sackOK,eol>
> 
> 16:56:11.095002 IP 192.168.2.103.8000 > 192.168.2.105.53298:
>  R 0:0(0) ack 2235929695 win 0
> 
> This time, Snort reports only one alert.
> 
> 10/08-17:00:07.050091  [**] [1:5:0] Example Not [**] [Priority: 0]
> {TCP} 192.168.2.103:8000 -> 192.168.2.105:53298

This I can't reproduce my test alerts on the same packets as the first
rule.  Updating it with flow:to_server,established makes it behave as
desired.

> 
> This is the desired behavior.  Snort ignored the SYN packet to port
> 8000 TCP but it fired on the return traffic.
> 
> Is this is a logic issue?
> 
> This does not negate (oww, bad pun) the fact that port lists are very helpful.
> 
> Thank you,
> 
> Richard
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list