[Snort-users] Rule help

Jack Pepper pepperjack at ...14319...
Tue Dec 23 15:21:57 EST 2008


Quoting "Jefferson, Shawn" <Shawn.Jefferson at ...14448...>:


> My original rule worked out great, but I tried to create another  
> rule that alerts me on anything that went from the $HOME_NET to  
> $EXTERNAL_NET port 11830, and I obviously did something wrong, since  
> I got about 3 million alerts in 5 minutes... pretty much all traffic  
> going to the IDS sensor (which takes forever to delete via BASE!)
>
> Here's what tried:
>
> alert ip $HOME_NET any -> $EXTERNAL_NET 11830 (msg:"port 11830  
> traffic outbound"; sid:1000002; rev:1;)

Change the "ip" to tcp.  IP protocol ignores the src and dest port  
numbers.  So yes, this rule is catching *any* outbound traffic.

jp


-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list