[Snort-users] Local Rule Error

Jones, Christopher (Chris) (Maj) cajones1 at ...17771...
Mon Feb 20 01:43:31 EST 2017


Thanks for your assistance.  You really helped me out with the rules writing.  A big mistake on my part was saying that the traffic was TCP but the incoming suspect traffic was coming in over UDP.  When I changed the protocol to just IP, I got all sorts of alerts.


-----Original Message-----
From: wkitty42 at ...14940... [mailto:wkitty42 at ...14940...] 
Sent: Sunday, February 19, 2017 7:08 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Local Rule Error

On 02/19/2017 09:03 PM, Jones, Christopher (Chris) (Maj) wrote:
> I found one of my mistakes.  I had a local rules path in the config 
> file twice so that explains why snort was giving me the error.  Now it 
> runs with no errors

that'll do it every time :)

> but is not logging my packet that I know has the "chmod" text string.  
> Do I need to include some wildcard placeholders like "*chmod*"? Does 
> this rule look to have the required  components?

the first thing i see is that you should add the classification...

   classtype:blahblah;

select your classification from your classification.conf file...


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL RULE-chmod command attempt"; content:"chmod"; classtype:suspicious-filename-detect; sid:500001; rev:1;)


but make sure you use a classification that exists in your classification.conf 
file... the classification provides the ""alert level""... 1 is the highest, 3 
is the lowest (of those publicly distributed)... you can go even lower if you 
like for your own stuff...

there's no such think as wildcards in rule content... there is if you use a 
regex with the content but regex is not always needed...

are you getting anything alerted on at all? if not, you may want to put the 
following local-test.rules file in place and see if it generates alerts... it 
should as it is very generic and alerts on most everything... if that doesn't 
work, you may need to add "-k none" to your snort command line to turn off 
invalid checksums so that all packets are processed...

----->8 snip 8<-----
#
# filename: local-test.rules
#
# The rules in this file are only to test a snort installation to see if it is
# seeing any traffic at all. These rules should not be used all the time. Once
# tested and working, this rule file should be commented out in your snort.conf
# so that it is not used.
#
#------------------
# LOCAL TEST RULES
#------------------

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; 
classtype:tcp-connection; sid:1; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; 
classtype:tcp-connection; sid:2; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; 
classtype:unknown; sid:3; rev:1;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; 
classtype:unknown; sid:4; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; 
classtype:misc-activity; sid:5; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; 
classtype:misc-activity; sid:6; rev:1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; 
classtype:icmp-event; sid:7; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; 
classtype:icmp-event; sid:8; rev:1;)

----->8 snip 8<-----


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list