Snort mailing list archives
v1.7 on NT4 - Can't get my own RULES working?? help.
From: Bryce Stenberg <bryce () hrnz co nz>
Date: Tue, 19 Feb 2002 11:52:51 +1300
Hi, I'm new to snort and first time user on this list - so firstly, I've looked in the archives but could find no way to do a key word search. Is this possible? Anyway, sorry if repeating something often asked... PROBLEM: I've had snort running for a number of months ok with just the default rules set. However, there is so much activity from attack attempts that I decided to not use all the rules and look instead for strings matching information on our servers that should not be passing out over the internet (like certain directory names, etc). This way I'll only get alerted to actual successful penetrations/compromise of the network, at least I hope so. So, I created a couple of rules of: alert tcp any any <> $HOME_NET any (msg:"Outgoing directory listing via tcp"; content: "enticing_directory_name"; nocase; flags: PA; priority:10;) alert udp any any <> $HOME_NET any (msg:"Outgoing directory listing via udp"; content: "enticing_directory_name"; nocase; flags: PA; priority:10;) . I altered 'snort.conf' to NOT run any of the includes at end of file. Also stopped all preprocessors except 'defrag' and 'http_decode'. I initially placed my rules in 'local.rules' file but that had no effect - do I have to 'include' a certain lib file (at end of 'snort.conf') to be able to use 'local.rules' file? Anyway, I next added my rules to the end of 'backdoor.rules' file and uncommented the 'include backdoor-lib' since I expect that makes use of backdoor.rules. I then tested again (by ftp'ing directory listings and text files containing the content string from the server running snort so the packets had to be seen by snort). Still no alert outputs? So can anyone offer me advice on how to get it working please? I hope the above enough information but if more needed just ask. If its a problem with my actual rules, I have also tried various combinations in the header like: alert tcp any any <> any any ( alert tcp any any -> $HOME_NET any ( alert tcp any any <- $HOME_NET any ( etc.... Regards, Bryce Stenberg. Harness Racing New Zealand computer department, emailto:bryce () hrnz co nz CAUTION: This email message and accompanying data may contain information that is confidential and subject to legal privilege. If you are not the intended recipient you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. ALSO, unless expressly stated otherwise, the contents of this message represent only the views of the sender as expressed only to the intended recipient, do not commit Harness Racing New Zealand (HRNZ) to any course of action and are not intended to impose any legal obligation upon HRNZ. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- v1.7 on NT4 - Can't get my own RULES working?? help. Bryce Stenberg (Feb 18)
- RE: v1.7 on NT4 - Can't get my own RULES working?? help. Wayne Work (Feb 18)