[Snort-users] Snort as an anomalous behavior IDS

Willst Mail willstmail at ...11827...
Fri Apr 2 15:21:40 EDT 2010

Sounds like you did what I want to do.  Let's say outbound HTTP is
fine but anything else is bad, would your ruleset look something like:

pass tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Allowing outbound
HTTP"; sid:1000001)
alert tcp any any -> any any (msg:"Bad traffic!"; sid:1000002)

And from this (contrived and simplified) ruleset, outbound over port
80 is allowed to silently pass and everything else will generate an

> ------------------------------
> Message: 3
> Date: Sat, 03 Apr 2010 00:09:47 +1300
> From: Jason Haar <Jason.Haar at ...294...>
> Subject: Re: [Snort-users] Snort as an anomalous behavior IDS
> To: snort-users at lists.sourceforge.net
> Message-ID: <4BB5D07B.7020701 at ...294...>
> Content-Type: text/plain; charset=ISO-8859-1
> On 04/01/2010 11:32 AM, Willst Mail wrote:
>> Is it as simple having a
>> ruleset with the good rules, and a final rule that matches (any any ->
>> any any)?
> We use snort to monitor DMZes that way. Unlike real networks, DMZes are
> meant to contain hosts that have specific roles, and don't have users
> logged in running Skype/etc. i.e their traffic flows are predictable. In
> particular, they shouldn't initiate outbound connections beyond the
> expected AV updates, Windows/YUM updates/etc.
> Then we created pass rules that  allow such things, and trigger alerts
> on the rest. On our network, DMZ alerts are really quiet for ages - and
> then some SysAdmin will forget where they are and go and read their
> Gmail or something - and we get an alert - soon followed by a "sorry!
> it's me!" - that proves it's working :-)
> However, FTP is your enemy - no easy way to write "pass" rules for FTP.
> I've got HTTP "pass" rules to allow connections to hosts containing
> "uricontent:/repos/", or whitelist particular User-Agents - but you
> can't say "allow curl to ftp files"
> --
> Cheers
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list