[Snort-users] Local Rule Error

wkitty42 at ...14940... wkitty42 at ...14940...
Sun Feb 19 22:07:59 EST 2017


On 02/19/2017 09:03 PM, Jones, Christopher (Chris) (Maj) wrote:
> I found one of my mistakes.  I had a local rules path in the config file
> twice so that explains why snort was giving me the error.  Now it runs with
> no errors

that'll do it every time :)

> but is not logging my packet that I know has the "chmod" text string.  Do I
> need to include some wildcard placeholders like "*chmod*"? Does this rule
> look to have the required  components?

the first thing i see is that you should add the classification...

   classtype:blahblah;

select your classification from your classification.conf file...


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL RULE-chmod command 
attempt"; content:"chmod"; classtype:suspicious-filename-detect; sid:500001; rev:1;)


but make sure you use a classification that exists in your classification.conf 
file... the classification provides the ""alert level""... 1 is the highest, 3 
is the lowest (of those publicly distributed)... you can go even lower if you 
like for your own stuff...

there's no such think as wildcards in rule content... there is if you use a 
regex with the content but regex is not always needed...

are you getting anything alerted on at all? if not, you may want to put the 
following local-test.rules file in place and see if it generates alerts... it 
should as it is very generic and alerts on most everything... if that doesn't 
work, you may need to add "-k none" to your snort command line to turn off 
invalid checksums so that all packets are processed...

----->8 snip 8<-----
#
# filename: local-test.rules
#
# The rules in this file are only to test a snort installation to see if it is
# seeing any traffic at all. These rules should not be used all the time. Once
# tested and working, this rule file should be commented out in your snort.conf
# so that it is not used.
#
#------------------
# LOCAL TEST RULES
#------------------

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; 
classtype:tcp-connection; sid:1; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; 
classtype:tcp-connection; sid:2; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; 
classtype:unknown; sid:3; rev:1;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; 
classtype:unknown; sid:4; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; 
classtype:misc-activity; sid:5; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; 
classtype:misc-activity; sid:6; rev:1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; 
classtype:icmp-event; sid:7; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; 
classtype:icmp-event; sid:8; rev:1;)

----->8 snip 8<-----


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list