Educause Security Discussion mailing list archives

writing SNORT rules

From: Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>
Date: Tue, 2 Dec 2008 11:14:27 -0500

Good morning

I have written 3 "quick and dirty" SNORT rules and am trying to follow
the write/test/write/test/write/test/write/test

Unfortunately even the first test isn't working.  I never see the
alert message for these rules in my alert log.  Is there some other
directive in the snort.conf file that could be precluding these
stateless "hits" from being processed in some way?

If you have any responses, we should probably take this off-line to
keep the list from being clogged, unless, of course, this is a "class"
problem for all first time rule writers.  I think it's something
stupid, but I just can't see it.


These are the simplest rules I could think of with the ongoing process
of modifying them for my final needs.  My ultimate goal is to be able
to grep the alert file for this LOCAL message and grab the timestamps;
I want come up with a way to sanity check the duration of established
ssh sessions to compare against host machine log files.

Here are the rules:

[root@netsniff emerging]# cat /usr/local/etc/rules/local.rules
# $Id: local.rules,v 1.13 2005/02/10 01:11:04 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
#
alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS (flow:stateless;
flags:S,12; msg: "LOCAL Connection attempt -- NetSys asset on port
22"; sid: 2008001;)
alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS (flow:stateless;
flags:F,12; msg: "LOCAL Connection termination -- NetSys asset on port
22"; sid: 2008002;)
alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS (flow:stateless;
flags:R,12; msg: "LOCAL Connection reset -- NetSys asset for port 22";
sid: 2008003;)
[root@netsniff emerging]#

The variables EXTERNAL_NET, NETSYS_NET, SSH_PORTS are all defined:

var HOME_NET 137.165.0.0/16
var NETSYS_NET 137.165.224.0/24
var EXTERNAL_NET !$HOME_NET


RULE_PATH is defined as var RULE_PATH /usr/local/etc/rules


Here is the portion of the snort.conf file that "includes" the
local.rules file:

#
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are
triggered.
#=========================================

include $RULE_PATH/local.rules
# include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules


I have stopped and restarted snort with the same command line I always
use:

snort -A full -i eth3 -N -K none -c /usr/local/etc/snort.conf -D

PeteC


Peter Charbonneau
Sr. Network and Systems Administrator
Williams College
(413) 597-3408 (office)
(413) 822-2922 (cell)

Current thread:

writing SNORT rules Peter Charbonneau (Dec 02)
- <Possible follow-ups>
- Re: writing SNORT rules Chris Green (Dec 02)
- Re: writing SNORT rules Peter Charbonneau (Dec 02)
- Re: writing SNORT rules Russell Fulton (Dec 02)