Snort mailing list archives
Re: general custom rules questions
From: Jim Forster <jforster () rapidnet com>
Date: Thu, 28 Feb 2002 15:14:35 -0700
---==On Thu, 28 Feb 2002 16:31:58 -0500, Basil Saragoza wrote==---
1. If I want to create my own rules then should I place it in the local.rules file or create my own file? (And then use snort -o)
Yes, that's why I added them. - just easier when you update your ruleset to know they won't be overwritten. (I have now changed it to mylocal.rules for my systems, so installing a new set won't touch my files with the 'default' empty one)
2. As to the flexresp rules...I understand it is quite dangerous and it can cause more harm than good....is there any tutorial or user archive for custom written rules?
Flex drops the request, not necessarily the connection. I make a request for "welcome.html" ok I make a request for "cmd.exe" a TCP RST is sent I make a request for "welcome2.html" ok No firewall rules are changed/added and no black holing of the attacker occurs.
3. Let's say I created a flexresp rule for some annoying hostile connection, O.K., now it's dropped. Then hacker figures out what is going on and spoofs his address to novell.com address, then I can't block it cause I
You block by the packet content. This would just mean he couldn't pretend to be from novell and attack you either. :) I've had mixed luck with flexresp, from what you've said here, Hogwash may actually be what you're looking for. -------------------------------------------------------------------- Sleep: A completely inadequate substitute for caffeine. Jim Forster, jforster () rapidnet com on 02/28/2002 Network Administrator RapidNet, A Golden West Company _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- general custom rules questions Basil Saragoza (Feb 28)
- Re: general custom rules questions Jim Forster (Feb 28)