RE: Help with custom rule

["Dell, Jeffrey" <JDell () seisint com>]

just put a !80 as the source. example:

Original:
alert tcp $HOME_NET any -> $EXTERNAL_NET 5032 (msg:"BACKDOOR NetMetro File
List"; flags: A+; content:"|2D 2D|"; reference:arachnids,79; sid:159;
rev:1;)

new alert:
alert tcp $HOME_NET !80 -> $EXTERNAL_NET 5032 (msg:"BACKDOOR NetMetro File
List"; flags: A+; content:"|2D 2D|"; reference:arachnids,79; sid:159;
rev:1;)

I hope this helps.
Jeff
-----Original Message-----
From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com]
Sent: Thursday, July 26, 2001 6:37 PM
To: Snort List (E-mail)
Subject: [Snort-users] Help with custom rule



I was wondering if anyone out there could help me with a custom rule? I'm
using Snort 1.7 on Red Hat Linux 7.0.

Here's the scenario. There are many default rules that come with Snort that
check for certain destination ports, such as the Backdoor Netmetro Trojan on
port 5032. So if a packet is seen with a destination port of 5032, Snort
flags it as a Backdoor Netmetro trojan. The problem with this is that if a
client happens to initiate a TCP handshake using 5032 as the random SOURCE
port, our servers reply with 5032 as the destination port, triggering a
Snort alert. This is normal TCP operation so it happens all the time.

An example where x.x.x.x is a host on the Internet and y.y.y.y is my web
server:

x.x.x.x:5032   -->   y.y.y.y:80
the web server replies to the host with:
y.y.y.y:80    -->    x.x.x.x:5032

This triggers a false positive for the Backdoor Netmetro. This type of false
positive can obviously occur under any destination port. As a result we get
TONS of false positives every day. Using the above example, I want to create
a custom Snort rule that says "if the source port is NOT equal to 80 AND the
destination port is 5032, THEN trigger an alert for the Backdoor NetMetro
trojan. This would cut WAY down on the false positives I see every day
against our web server. In other words, if our web server was not replying
to the host on the Internet using port 80 as the source, then this would
more likely not be part of a regular transaction and would at least cut down
on the majority of false positives. The "not equal to" scenario would work
great to cut down on a LOT of other false positives as well. Does anyone
know if this can be done?


Thanks,
Paul

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


This transmission may contain information that is privileged, confidential
and exempt from disclosure under applicable law.
If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained
herein (including any reliance thereon) is STRICTLY PROHIBITED.
If you received this transmission in error, please immediately contact the
sender and destroy the material in its entirety, whether in electronic or
hard copy format.
Thank you



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users