Re: Quick Rule's Question...

[Erek Adams <erek () theadamsfamily net>]

On Wed, 6 Mar 2002, Mark Taber wrote:

[...snip...]

> (Rule that is in the web-misc file)
> alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-MISC 403
> Forbidden";flags: A+; content:"HTTP/1.1 403"; depth:12;
> classtype:attempted-recon; sid:1201; rev:2;)
>
> (Rule that I am creating)
> pass tcp $HTTP_SERVERS 80 -> x.x.x.x (IP Of Server on my network)
> (msg:"WEB-MISC 403 Forbidden";flags: A+; content:"HTTP/1.1 403";
> depth:12; classtype:attempted-recon; sid:1201; rev:2;)

You'll need a dst port listed on the dst side of the rule header.  In this
case since it picks a random port, you'll need to use "any".  Since the pass
function tells the parser to "stop here, I don't care about this packet", you
could cut it down to:

  pass tcp $HTTP_SERVERS 80 -> x.x.x.x any

[If I'm wrong, somene jump in and clue-ify me!]

> I believe I would need to run snort with the -o switch configured, is
> that correct?

Yeppers.  And you'll need to be of the mind that _any_ packet on port 80 from
$HTTP_SERVERS will be passed.  IOW, if a l33t hax0r roots $HTTP_SERVERS he
could tunnel traffic on port 80 to any port on your dst server and you'd be
blind to it.  That's the kinda thing that will come back to bite you if you
don't watch it.  :)

This question would be perhaps better answered on the snort-sigs list where
the main topics are building, writing, and using rules.  I'm not sure if the
rule nazi's read this list...  :)

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users