[Snort-users] Alert file

waldo kitty wkitty42 at ...14940...
Thu Mar 21 15:01:18 EDT 2013


On 3/20/2013 15:24, Mohammad MontazerI wrote:
> Yes. i just want something to cause an alert.
> but question is: How?

i just posted the following on 12 Mar 2013 in this very list...

[quote]
what some blogs and helpers recommend is to create a local.rules file and then
create a rule in there that will alert on everything... make sure that
local.rules is included in your snort.conf and that it is with your other rules
files with the proper permissions... then restart snort... the "catch
everything" rules would be something like these...


alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; 
sid:1; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; 
sid:2; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; sid:3; 
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; sid:4; 
rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; sid:5; 
rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; sid:6; 
rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; sid:7; 
rev:1;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; sid:8; 
rev:1;)


"any" used to be allowed as a protocol but when i tested it just now with snort 
2.9.3.1, it didn't like it at all...

you'll want to disable these as soon as possible and restart snort ;)
[/quote]


and this followup to another person on the same day...


[quote]
i just posted some extremely simple ones that catch everything... however, they 
make a decent starting point, too...

for example:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; 
sid:1; rev:1;)


we'll change this to catch /any/ mention of ".exe" in /tcp/ traffic...

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:".exe mentioned in tcp traffic 
inbound"; content;".exe"; sid:x; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:".exe mentioned in tcp traffic 
outbound"; content;".exe"; sid:x; rev:1;)


there's two... one for inbound and one for outbound...

1. we changed the protocol from "icmp" to "tcp".

2. we adjusted the msg text that is used.

3. we added a content field to look for.

4. only ".exe" is looked for... ".EXE" or ".Exe" or ".eXe" or such will not trigger.

5. you have to set the SID number to a unique number for your rules sets... the 
revision should be incremented each time you make a (major?) change in the rule.


now, the above does not look for an actual executable file... it only looks for 
the four characters .exe all together... looking for actual binaries is a little 
bit tougher to do but the concept is still the same... you look for content... 
there are various buffers you can look in... you can go case insensitive... you 
can refine for specific examples via pcre...
[/quote]

>  > i dont know what is that!
>  > i just downloaded roules from here: http://www.snort.org/snort-rules
>  > and installed it on my opensuse.
>  > is that enough?
>  > http://www.snort.org/snort-rules
>
> so then you currently do not use a rules manager... it isn't needed at this
> point anyway... all you want to do it cause an alert, right?






More information about the Snort-users mailing list