Snort mailing list archives

Re: Rule Creation Question !.

From: Bennett Todd <bet () rahul net>
Date: Fri, 4 Oct 2002 10:33:58 -0400

2002-10-01-10:12:58 Moreno Poli:

if i have a server with pop3 and smtp services is possible create a rule
that log all incoming traffic except  traffic for this 2 ports, i know
that is possible
create a rule that log all traffic except 1 port , but if the port are
two or tree is possible ?


There's More Than One Way To Do It, as the perl folks like to say.

You can use a rule to log everything incoming:

        log any any any -> a.b.c.d any

(I think, I haven't done this). a.b.c.d is your server's IP address.
Then you have a choice of ways to make snort ignore incoming pop3
and SMTP. You can use a BPF filter to skip that traffic; that'd
probably be the most efficient mechanism, I think. It'd look
something like

        snort ... 'not (dst port smtp or pop3)'

(untried, I haven't done BPF in a while).

In fact, maybe even more efficient would be to use snort as a pure
sniffer, with nothing but bpf filtering --- or to just use tcpdump
the same way --- that'd be something like

        snort -i eth0 -dbel . \
          'dst host a.b.c.d and not (dst port smtp or pop3)'

Or equivalently

        tcpdump -i eth0 -w capturefile \
          'dst host a.b.c.d and not (dst port smtp or pop3)'

Anyway, going back to snort in IDS mode with using log rules, you
could use the above log-everything line, and pass rules to exclude
smtp and pop3. That'd be a conf file like

        pass tcp any any -> any smtp
        pass tcp any any -> any pop3
        log any any any -> a.b.c.d any

Or you could just specify log entries to log everything except the
requested ports; that'd be something like

        log udp any any -> a.b.c.d any
        log icmp any any -> a.b.c.d any
        log tcp any any -> a.b.c.d 1:24
        log tcp any any -> a.b.c.d 26:109
        log tcp any any -> a.b.c.d 111:65535

I'm sure I've forgotten some more ways to do this.

And the above is all untested, so I may have committed typos or
brainos in there:-).

-Bennett

Attachment: _bin
Description:

Current thread:

Rule Creation Question !. Moreno Poli (Oct 01)
- Re: Rule Creation Question !. Michael Boman (Oct 01)
- <Possible follow-ups>
- Rule Creation Question !. Moreno Poli (Oct 03)
  - RE: Rule Creation Question !. Wayne T Work (Oct 03)
  - Re: Rule Creation Question !. Bennett Todd (Oct 04)