[Snort-users] Rules Question

Jacob Steinberger trefalgar at ...14634...
Wed Aug 12 13:24:30 EDT 2009


I'm not sure if I'm thinking about this in the "Snort" way or not, but ...

I'm receiving a lot of "RPC portmap listing TPC 111" alerts from snort  
running in IDS mode. We have two different NFS servers which I can  
attribute 99% of the alarms from (over 4,000 in less than 24 hours).

I'd like to be able to specifically ignore requests going to these two  
servers. I assume this is a rules update, so I tried updating this rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing  
TCP 111"; flow:to_server,established; content:"|00 01 86 A0|";  
depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4;  
content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc;  
reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:13;)

Instead of $HOME_NET, I tried, [any,!IP#1, !IP#2]. It didn't seem to  
work as I continued to get the same RPC alarms.

Am I not thinking in the proper snort way, or is this just a syntax  
problem within my host list?

Jacob





More information about the Snort-users mailing list