Snort mailing list archives
RE: Help with custom rule
From: "Dell, Jeffrey" <JDell () seisint com>
Date: Thu, 26 Jul 2001 18:50:23 -0400
just put a !80 as the source. example: Original: alert tcp $HOME_NET any -> $EXTERNAL_NET 5032 (msg:"BACKDOOR NetMetro File List"; flags: A+; content:"|2D 2D|"; reference:arachnids,79; sid:159; rev:1;) new alert: alert tcp $HOME_NET !80 -> $EXTERNAL_NET 5032 (msg:"BACKDOOR NetMetro File List"; flags: A+; content:"|2D 2D|"; reference:arachnids,79; sid:159; rev:1;) I hope this helps. Jeff -----Original Message----- From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com] Sent: Thursday, July 26, 2001 6:37 PM To: Snort List (E-mail) Subject: [Snort-users] Help with custom rule I was wondering if anyone out there could help me with a custom rule? I'm using Snort 1.7 on Red Hat Linux 7.0. Here's the scenario. There are many default rules that come with Snort that check for certain destination ports, such as the Backdoor Netmetro Trojan on port 5032. So if a packet is seen with a destination port of 5032, Snort flags it as a Backdoor Netmetro trojan. The problem with this is that if a client happens to initiate a TCP handshake using 5032 as the random SOURCE port, our servers reply with 5032 as the destination port, triggering a Snort alert. This is normal TCP operation so it happens all the time. An example where x.x.x.x is a host on the Internet and y.y.y.y is my web server: x.x.x.x:5032 --> y.y.y.y:80 the web server replies to the host with: y.y.y.y:80 --> x.x.x.x:5032 This triggers a false positive for the Backdoor Netmetro. This type of false positive can obviously occur under any destination port. As a result we get TONS of false positives every day. Using the above example, I want to create a custom Snort rule that says "if the source port is NOT equal to 80 AND the destination port is 5032, THEN trigger an alert for the Backdoor NetMetro trojan. This would cut WAY down on the false positives I see every day against our web server. In other words, if our web server was not replying to the host on the Internet using port 80 as the source, then this would more likely not be part of a regular transaction and would at least cut down on the majority of false positives. The "not equal to" scenario would work great to cut down on a LOT of other false positives as well. Does anyone know if this can be done? Thanks, Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users This transmission may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with custom rule Sheahan, Paul (PCLN-NW) (Jul 26)
- Re: Help with custom rule Jim Forster (Jul 26)
- <Possible follow-ups>
- RE: Help with custom rule Dell, Jeffrey (Jul 26)
- RE: Help with custom rule Sheahan, Paul (PCLN-NW) (Jul 27)