v1.7 on NT4 - Can't get my own RULES working?? help.

[Bryce Stenberg <bryce () hrnz co nz>]

Hi,

I'm new to snort and first time user on this list - so firstly, I've looked
in the archives but could find no way to do a key word search. Is this
possible?    Anyway, sorry if repeating something often asked...

PROBLEM:
I've had snort running for a number of months ok with just the default rules
set.  However, there is so much activity from attack attempts that I decided
to not use all the rules and look instead for strings matching information
on our servers that should not be passing out over the internet (like
certain directory names, etc). This way I'll only get alerted to actual
successful penetrations/compromise of the network, at least I hope so.

So, I created a couple of rules of:

alert tcp any any <> $HOME_NET any (msg:"Outgoing directory listing via
tcp"; content: "enticing_directory_name"; nocase; flags: PA; priority:10;)

alert udp any any <> $HOME_NET any (msg:"Outgoing directory listing via
udp"; content: "enticing_directory_name"; nocase;  flags: PA; priority:10;)
.

I altered 'snort.conf' to NOT run any of the includes at end of file. Also
stopped all preprocessors except 'defrag' and 'http_decode'.

I initially placed my rules in 'local.rules' file but that had no effect -
do I have to 'include' a certain lib file (at end of 'snort.conf') to be
able to use 'local.rules' file?

Anyway, I next added my rules to the end of 'backdoor.rules' file and
uncommented the 'include backdoor-lib' since I expect that makes use of
backdoor.rules.

I then tested again (by ftp'ing directory listings and text files containing
the content string from the server running snort so the packets had to be
seen by snort).  Still no alert outputs?

So can anyone offer me advice on how to get it working please?
I hope the above enough information but if more needed just ask.
If its a problem with my actual rules, I have also tried various
combinations in the header like:
alert tcp any any <> any any (
alert tcp any any -> $HOME_NET any (
alert tcp any any <- $HOME_NET any (
  etc....

Regards,
  Bryce Stenberg.
     Harness Racing New Zealand computer department,
     emailto:bryce () hrnz co nz


CAUTION: This email message and accompanying data may contain information
that is confidential and subject to legal privilege. If you are not the
intended recipient you are notified that any use, dissemination,
distribution or copying of this message or data is prohibited. If you have
received this email message in error please notify us immediately and erase
all copies of the message and attachments.
 ALSO, unless expressly stated otherwise, the contents of this message
represent only the views of the sender as expressed only to the intended
recipient, do not commit Harness Racing New Zealand (HRNZ) to any course of
action and are not intended to impose any legal obligation upon HRNZ.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users