[Snort-users] Best way to change and apply multiple rules for a certain criteria

Rochon, Jason jcrochon at ...6828...
Fri Sep 12 11:35:58 EDT 2014


Hello,

I'm looking for a way to change all my rules that have "PCAnywhere" going outside, to only detect going inside.

Example:
alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"PUA-OTHER PCAnywhere Failed Login"; flow:to_server,established; content:"Invalid login"; depth:16; metadata:ruleset community; classtype:unsuccessful-user; sid:512; rev:9;)

I would like to change the important parts to alert on attempts to my $HOME_NET only:
Direction change: $HOME_NET 5631:5632 <- $EXTERNAL_NET
Flow change: flow:to_client

Also, should I disable this rule, and recreate it in local.rules, or just editing would suffice?
I forgot if the order of included rules matter. Would I need to put edited rules at the top?
Example, change this:
include my_custom_rules.rules
include rules_to_be_edited.rules

To this:
include rules_to_be_edited.rules
include my_custom_rules.rules

Are the rules overwritten, so that all custom rules should be last at the bottom of snort.conf?

Thank you and Best Regards,

Jason C. Rochon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140912/9aea371a/attachment.html>


More information about the Snort-users mailing list