Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Catchall rule

From: "njharris" <njharris () mindspring com>
Date: Wed, 5 Feb 2003 23:53:16 -0600
 I use one rule "alert ip any any -> any any" to log all packets to a mysql
database. I would prefer to use tcpdump, but if it is on a windows system ,
windump doesn't seem to log to a database.

    Good Luck
    Nick Harris
    TNS Consulting

----- Original Message -----
From: <snort-users-request () lists sourceforge net>
To: <snort-users () lists sourceforge net>
Sent: Wednesday, February 05, 2003 10:32 PM
Subject: Snort-users digest, Vol 1 #2759 - 6 msgs



Send Snort-users mailing list submissions to
snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net

You can reach the person managing the list at
snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Snort-users digest, Vol 1 #2758 - 10 msgs (Kenton Smith)
   2. RE: MySql and Snort (L. Christopher Luther)
   3. Starting and Stopping Snort feeding Mysql (James M. Driskell)
   4. Catchall Rule (John Cherbini)
   5. RE: Catchall Rule (John Cherbini)
   6. Re: Catchall Rule (twig les)

--__--__--

Message: 1
From: Kenton Smith <ksmith () chartwelltechnology com>
To: snort-users () lists sourceforge net
Cc: dennisg () northshoreagency com
Organization: Chartwell Technology Inc.
Date: 05 Feb 2003 16:37:00 -0700
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2758 - 10 msgs

The confusing part about these messages is in the source and destination
addresses. The source of the message is the equipment sending back the
Unreachable message. The Destination is the machine that would have
originally sent the ICMP packet. So in this case the machines to look at
are the ones shown as destination by the Snort alert (in your case, if I
understand correctly, your web server and Snort sensor).

I think you should investigate this closely and here's why:

Script kiddie crafts malicious (or other) packets using *your* Web
Server's IP address. *He* spews the packets out and some of them hit
equipment that sends back the Unreachable message. *He's* not going to
get the return traffic; you are because he used *your* IP address in the
packet. Therefore if you can't find any evidence of your machines
sending out ICMP packets to the address listed as Source by Snort, you
may want to consider the fact that someone is spoofing your address.

Just my $0.02

Kenton Smith

On Wed, 2003-02-05 at 16:09, dennisg () northshoreagency com wrote:


I have received over 7000 "ICMP Destination Unreachable (Communication
Administratively Prohibited)" alerts in the last 6 days.  I look on
snort.org for info about this alert, but I'm still unsure if this is
something I need to worry about, and if not how can I remove this alert?

I'm run snort on a MS Windows 200 Server.


Thanks,

Dennis Gorman
Network Manager
North Shore Agency









--__--__--

Message: 2
From: "L. Christopher Luther" <CLuther () Xybernaut com>
To: 'Cilin' <cilin5 () yahoo com>
Cc: "Snort-Users (E-mail)" <snort-users () lists sourceforge net>
Date: Wed, 5 Feb 2003 19:48:35 -0500
Subject: [Snort-users] RE: MySql and Snort

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C2CD79.7A9A1390
Content-Type: text/plain;
charset="iso-8859-1"

Cilin,

Please post additional information so that we can better help you.  For
example:

o  The Snort command line you use when not sniffing (i.e., the '-v' puts
Snort in sniffer mode, not in packet logger mode).

o  Output plugins in snort.conf

o  etc.


Regards,

Christopher


-----Original Message-----
Date: Wed, 5 Feb 2003 14:51:32 -0800 (PST)
From: Cilin <cilin5 () yahoo com>
To: snort-users () lists sourceforge net
Subject: [Snort-users] MySql and Snort

Hi, I am newbie to snort and also have the problem of
Snort not logging into the MySql database. I did the
following steps, as recommended in one of the earlier
emails but nothing helped.

1.  Created the database snort in MySQL with
appropriate permissions for users and hosts.
2.  Ran the script contrib/create_mysql in the snort
source code against the database as a user with the
correct permissions.
3.   Uncommented and supplied user, password, database
and host for the output database line for mysql in the
snort.conf file.
4.   Restarted Snort.

and still nothing
Snort does log the scans (scan.log gets updated every
time i run a scan over the network)
However i haven't gotten a single error yet.
(alert.ids is 0Kb)

when i run snort from the command line via
"snort -v -i 1" I get:

0 dropped packages

Action stats:
Alerts: 0
Logs  : 0
Passed: 0

Wireless Stats, Fragmentation Stats, TCP Stream
Reasembly stats have ONLY '0's.

Please help, i have searched the internet and the
forums for any clues for the past 2 weeks but didn't
find anything.

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


------_=_NextPart_001_01C2CD79.7A9A1390
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: MySql and Snort</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Cilin,&nbsp; </FONT>
</P>

<P><FONT SIZE=3D2>Please post additional information so that we can =
better help you.&nbsp; For example:&nbsp; </FONT>
</P>

<P><FONT SIZE=3D2>o&nbsp; The Snort command line you use when not =
sniffing (i.e., the '-v' puts Snort in sniffer mode, not in packet =
logger mode).&nbsp; </FONT></P>

<P><FONT SIZE=3D2>o&nbsp; Output plugins in snort.conf&nbsp; </FONT>
</P>

<P><FONT SIZE=3D2>o&nbsp; etc.&nbsp; </FONT>
</P>
<BR>

<P><FONT SIZE=3D2>Regards, </FONT>
</P>

<P><FONT SIZE=3D2>Christopher</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>Date: Wed, 5 Feb 2003 14:51:32 -0800 (PST)</FONT>
<BR><FONT SIZE=3D2>From: Cilin &lt;cilin5 () yahoo com&gt;</FONT>
<BR><FONT SIZE=3D2>To: snort-users () lists sourceforge net</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] MySql and Snort</FONT>
</P>

<P><FONT SIZE=3D2>Hi, I am newbie to snort and also have the problem =
of</FONT>
<BR><FONT SIZE=3D2>Snort not logging into the MySql database. I did =
the</FONT>
<BR><FONT SIZE=3D2>following steps, as recommended in one of the =
earlier</FONT>
<BR><FONT SIZE=3D2>emails but nothing helped.</FONT>
</P>

<P><FONT SIZE=3D2>1.&nbsp; Created the database snort in MySQL =
with</FONT>
<BR><FONT SIZE=3D2>appropriate permissions for users and hosts.</FONT>
<BR><FONT SIZE=3D2>2.&nbsp; Ran the script contrib/create_mysql in the =
snort</FONT>
<BR><FONT SIZE=3D2>source code against the database as a user with =
the</FONT>
<BR><FONT SIZE=3D2>correct permissions.</FONT>
<BR><FONT SIZE=3D2>3.&nbsp;&nbsp; Uncommented and supplied user, =
password, database</FONT>
<BR><FONT SIZE=3D2>and host for the output database line for mysql in =
the</FONT>
<BR><FONT SIZE=3D2>snort.conf file.</FONT>
<BR><FONT SIZE=3D2>4.&nbsp;&nbsp; Restarted Snort.</FONT>
</P>

<P><FONT SIZE=3D2>and still nothing</FONT>
<BR><FONT SIZE=3D2>Snort does log the scans (scan.log gets updated =
every</FONT>
<BR><FONT SIZE=3D2>time i run a scan over the network)</FONT>
<BR><FONT SIZE=3D2>However i haven't gotten a single error yet.</FONT>
<BR><FONT SIZE=3D2>(alert.ids is 0Kb)</FONT>
</P>

<P><FONT SIZE=3D2>when i run snort from the command line via </FONT>
<BR><FONT SIZE=3D2>&quot;snort -v -i 1&quot; I get:</FONT>
</P>

<P><FONT SIZE=3D2>0 dropped packages</FONT>
</P>

<P><FONT SIZE=3D2>Action stats:</FONT>
<BR><FONT SIZE=3D2>Alerts: 0</FONT>
<BR><FONT SIZE=3D2>Logs&nbsp; : 0</FONT>
<BR><FONT SIZE=3D2>Passed: 0</FONT>
</P>

<P><FONT SIZE=3D2>Wireless Stats, Fragmentation Stats, TCP =
Stream</FONT>
<BR><FONT SIZE=3D2>Reasembly stats have ONLY '0's.</FONT>
</P>

<P><FONT SIZE=3D2>Please help, i have searched the internet and =
the</FONT>
<BR><FONT SIZE=3D2>forums for any clues for the past 2 weeks but =
didn't</FONT>
<BR><FONT SIZE=3D2>find anything.</FONT>
</P>

<P><FONT =
SIZE=3D2>__________________________________________________</FONT>
<BR><FONT SIZE=3D2>Do you Yahoo!?</FONT>
<BR><FONT SIZE=3D2>Yahoo! Mail Plus - Powerful. Affordable. Sign up =
now.</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://mailplus.yahoo.com"; =
TARGET=3D"_blank">http://mailplus.yahoo.com</A></FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C2CD79.7A9A1390--


--__--__--

Message: 3
From: "James M. Driskell" <jdriskell () ups edu>
To: <snort-users () lists sourceforge net>
Date: Wed, 5 Feb 2003 17:08:17 -0800
Subject: [Snort-users] Starting and Stopping Snort feeding Mysql

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C2CD39.2D554C70
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello,



I'm running 2 snort sensors feeding a mysql database on another box.   I
get the following errors periodically from either box:



Feb  5 14:31:40 snort1 snort: database: mysql_error: Duplicate entry
'3-4958' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp)
VALUES ('3', '4958', '5', '2003-02-05 14:31:40-08')

Feb  5 14:31:50 snort1 snort: database: mysql_error: Duplicate entry
'3-4959' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp)
VALUES ('3', '4959', '5', '2003-02-05 14:31:50-08')



I can clear the problem by stopping and restarting the offending snort
box, but I'd rather fix the problem.  I also note that I get an unknown
sensor when I restart snort.



I've had to stop and start snort daily because the local alert and
scan.logs tend to run me out of disk space on the snort boxes.  I guess
I need to invest in new hd's but until then, can anyone help me fix this
problem.



Thanks,



Jim Driskell

University of Puget Sound


------=_NextPart_000_0001_01C2CD39.2D554C70
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">

<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Hello,</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I&#8217;m running 2 snort sensors feeding a mysql =
database
on another box.&nbsp; &nbsp;I get the following errors periodically from =
either
box:</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Feb&nbsp; 5 </span></font><font size=3D2 =
face=3DArial><span
 =
style=3D'font-size:10.0pt;font-family:Arial'>14:31:40</span></font><font =
size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> snort1 =
snort:
database: mysql_error: Duplicate entry '3-4958' for key 1 SQL=3DINSERT =
INTO event
(sid,cid,signature,timestamp) VALUES ('3', '4958', '5', '2003-02-05 =
</span></font><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>14:31:40</span></font><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>-08') </span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Feb&nbsp; 5 </span></font><font size=3D2 =
face=3DArial><span
 =
style=3D'font-size:10.0pt;font-family:Arial'>14:31:50</span></font><font =
size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> snort1 =
snort:
database: mysql_error: Duplicate entry '3-4959' for key 1 SQL=3DINSERT =
INTO event
(sid,cid,signature,timestamp) VALUES ('3', '4959', '5', '2003-02-05 =
</span></font><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>14:31:50</span></font><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>-08')</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I can clear the problem by stopping and restarting =
the
offending snort box, but I&#8217;d rather fix the problem. &nbsp;I also =
note that
I get an unknown sensor when I restart snort. &nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I&#8217;ve had to stop and start snort daily because =
the local
alert and scan.logs tend to run me out of disk space on the snort boxes. =
&nbsp;I
guess I need to invest in new hd&#8217;s but until then, can anyone help =
me fix
this problem.</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Thanks,</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Jim Driskell</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
  font-family:Arial'>University</span></font><font size=3D2 =
face=3DArial><span
 style=3D'font-size:10.0pt;font-family:Arial'> of </span></font><font =
size=3D2
  face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>Puget =
Sound</span></font></p>

</div>

</body>

</html>

------=_NextPart_000_0001_01C2CD39.2D554C70--



--__--__--

Message: 4
From: "John Cherbini" <cherbini () dakotacom net>
To: "'Snort User Groups'" <snort-users () lists sourceforge net>
Date: Wed, 5 Feb 2003 20:39:35 -0700
Subject: [Snort-users] Catchall Rule

This is a multi-part message in MIME format.

------=_NextPart_000_0019_01C2CD56.B80545B0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello everyone...

We're working on a project, where as a part of it, we would like to use
snort to add *every* packet it reads in a file to the DB.

I've got the command line down, but I'd like to check on a rule that
will set *every* packet to generate a flag.

After looking through this doc..

http://www.snort.org/docs/writing_rules/chap2.html

I'm thinking something like this:

Alert tcp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
Alert udp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
Alert icmp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)

My concern is the third "any"...not sure if that will work.

Does anyone have any input on this?

I'd appreciate any advice!

Thanks!

John Cherbini

------=_NextPart_000_0019_01C2CD56.B80545B0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.4630.0">
<TITLE>Catchall Rule</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">Hello everyone&#8230;..</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">We're working on a project, where as a =
part of it, we would like to use snort to add *every* packet it reads in =
a file to the DB.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">I've got the command line down, but I'd =
like to check on a rule that will set *every* packet to generate a =
flag.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">After looking through this =
doc&#8230;.</FONT>
</P>

<P><A =
HREF=3D"http://www.snort.org/docs/writing_rules/chap2.html";><U><FONT =
COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">http://www.snort.org/docs/writing_rules/chap2.html</FONT><=
/U></A>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">I'm thinking something like =
this:</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Alert tcp any any -&gt; any =
(content:&quot;|45 00|&quot;; msg: &quot;Catchall Rule&quot;;)</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Alert udp any any -&gt; any =
(content:&quot;|45 00|&quot;; msg: &quot;Catchall Rule&quot;;)</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Alert icmp any any -&gt; any =
(content:&quot;|45 00|&quot;; msg: &quot;Catchall Rule&quot;;)</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">My concern is the third =
&quot;any&quot;&#8230;..not sure if that will work.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Does anyone have any input on =
this?</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">I'd appreciate any advice!</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thanks!</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">John Cherbini</FONT>
</P>

</BODY>
</HTML>
------=_NextPart_000_0019_01C2CD56.B80545B0--



--__--__--

Message: 5
From: "John Cherbini" <cherbini () dakotacom net>
To: "'Snort User Groups'" <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] Catchall Rule
Date: Wed, 5 Feb 2003 21:28:35 -0700

This is a multi-part message in MIME format.

------=_NextPart_000_0021_01C2CD5D.8DCE10E0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

We wanted to have them all logged into a DB, and most importantly,
parsed!  And we didn't feel like writing our own parser.

I've got it figured out though......with these rules

######CATCHALL RULES########
alert tcp any any -> any any (msg: \"tcp traffic\";)
alert udp any any -> any any (msg: \"udp traffic\";)
alert icmp any any -> any any (msg: \"icmp traffic\";)
############################

John C.


-----Original Message-----
From: Jacob Redding [mailto:dextor () WiredGeek com]
Sent: Wednesday, February 05, 2003 9:18 PM
To: John Cherbini
Cc: 'Snort User Groups'
Subject: Re: [Snort-users] Catchall Rule


  Why not just use tcpdump??

-Jacob

On Wed, 5 Feb 2003, John Cherbini wrote:


Hello everyone...

We're working on a project, where as a part of it, we would like to
use snort to add *every* packet it reads in a file to the DB.

I've got the command line down, but I'd like to check on a

rule that

will set *every* packet to generate a flag.

After looking through this doc..

http://www.snort.org/docs/writing_rules/chap2.html

I'm thinking something like this:

Alert tcp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
Alert udp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
Alert icmp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)

My concern is the third "any"...not sure if that will work.

Does anyone have any input on this?

I'd appreciate any advice!

Thanks!

John Cherbini







------=_NextPart_000_0021_01C2CD5D.8DCE10E0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.4630.0">
<TITLE>RE: [Snort-users] Catchall Rule</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Courier New">We wanted to have them all logged =
into a DB, and most importantly, parsed!&nbsp; And we didn't feel like =
writing our own parser.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Courier New">I've got it figured out =
though......with these rules</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Courier New">######CATCHALL =
RULES########</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">alert tcp any any -&gt; any any =
(msg: \&quot;tcp traffic\&quot;;)</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">alert udp any any -&gt; any any =
(msg: \&quot;udp traffic\&quot;;)</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">alert icmp any any -&gt; any any =
(msg: \&quot;icmp traffic\&quot;;)</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">############################</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Courier New">John C.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Courier New">&gt; -----Original =
Message-----</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; From: Jacob Redding =
[</FONT><A HREF=3D"mailto:dextor () WiredGeek com"><U><FONT =
COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Courier =
New">mailto:dextor () WiredGeek com</FONT></U></A><FONT SIZE=3D2 =
FACE=3D"Courier New">]</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; Sent: Wednesday, February =
05, 2003 9:18 PM</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; To: John Cherbini</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; Cc: 'Snort User =
Groups'</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; Subject: Re: [Snort-users] =
Catchall Rule</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt;&nbsp;&nbsp; Why not just =
use tcpdump??</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; -Jacob</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; On Wed, 5 Feb 2003, John =
Cherbini wrote:</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; Hello =
everyone...</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; We're working on a =
project, where as a part of it, we would like to</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; use snort to add =
*every* packet it reads in a file to the DB.</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; I've got the command =
line down, but I'd like to check on a</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; rule that</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; will set *every* =
packet to generate a flag.</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; After looking through =
this doc..</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; </FONT><A =
HREF=3D"http://www.snort.org/docs/writing_rules/chap2.html";><U><FONT =
COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Courier =
New">http://www.snort.org/docs/writing_rules/chap2.html</FONT></U></A>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; I'm thinking something =
like this:</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; Alert tcp any any =
-&gt; any (content:&quot;|45 00|&quot;; msg: &quot;Catchall =
Rule&quot;;)</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; Alert udp any any =
-&gt; any (content:&quot;|45 00|&quot;; msg: &quot;Catchall Rule&quot;;) =
</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; Alert icmp any any =
-&gt; any (content:&quot;|45 00|&quot;; msg: &quot;Catchall =
Rule&quot;;)</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; My concern is the =
third &quot;any&quot;...not sure if that will work.</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; Does anyone have any =
input on this?</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; I'd appreciate any =
advice!</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; Thanks!</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt; John Cherbini</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; &gt;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Courier New">&gt; </FONT>
</P>
<BR>

</BODY>
</HTML>
------=_NextPart_000_0021_01C2CD5D.8DCE10E0--



--__--__--

Message: 6
Date: Wed, 5 Feb 2003 20:31:52 -0800 (PST)
From: twig les <twigles () yahoo com>
Subject: Re: [Snort-users] Catchall Rule
To: John Cherbini <cherbini () dakotacom net>,
  'Snort User Groups' <snort-users () lists sourceforge net>

Well if I break out my dusty TCP/IP skills it seems that those three rules

would miss any packets

that have TCP options since the 5 in |45 00| equates to a 20-byte header.

But since I've had a

string of stupid mistakes in the last week anyone can correct me.  :)

What I'm wondering even more though is why you don't just write a rule

based on IP instead of the

3 protocols that are embedded in IP.  Of course curiosity forces me to ask

why you are using snort

to cram everything into a database too.

--- John Cherbini <cherbini () dakotacom net> wrote:

Hello everyone...

We're working on a project, where as a part of it, we would like to use
snort to add *every* packet it reads in a file to the DB.

I've got the command line down, but I'd like to check on a rule that
will set *every* packet to generate a flag.

After looking through this doc..

http://www.snort.org/docs/writing_rules/chap2.html

I'm thinking something like this:

Alert tcp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
Alert udp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
Alert icmp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)

My concern is the third "any"...not sure if that will work.

Does anyone have any input on this?

I'd appreciate any advice!

Thanks!

John Cherbini




=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: