Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Creating a simple rule.

From: Paul Halliday <paul.halliday () gmail com>
Date: Sat, 19 Nov 2005 16:51:13 -0400
The Packet:

Transmission Control Protocol, Src Port: pptp (1723), Dst Port: 2428
(2428), Seq: 190, Ack: 2594307140, Len: 0
    Source port: pptp (1723)
    Destination port: 2428 (2428)
    Sequence number: 190    (relative sequence number)
    Header length: 20 bytes
    Flags: 0x0004 (RST)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 0
    Checksum: 0x7b63 [correct]

0000  00 01 80 3b 0a 93 08 00 20 9f f9 5d 08 00 45 00   ...;.... ..]..E.
0010  00 28 3f e3 40 00 38 06 8e 58 8e e3 25 07 c0 a8   .(?.@.8..X..%...
0020  00 02 06 bb 09 7c 86 7b 29 36 00 00 00 00 50 04   .....|.{)6....P.
0030  00 00 7b 63 00 00 55 55 55 55 55 55               ..{c..UUUUUU

The Rule:

alert tcp any any -> any any (msg:"PPTP: Connection Failed";
content:"|00 50 04|"; classtype:misc-activity; sid:1000001; rev:1;)

I know it shouldn't be 'any any' but I was trying to eliminate
possibilities as to why it wouldn't work. This also probably isn't the
best way to track this; I was just looking at the bleeding ssh
connection rule, and it uses flags. I am just playing around.

Thanks.

On 11/19/05, Jason Brvenik <jasonb () sourcefire com> wrote:

On it's face that should work but there could be a number of problems
with the rule or the packet. Can you provide the actual packet and rule
you are testing with?


Paul Halliday wrote:

I am just trying to make a couple simple rules but they fail to fire.

Can someone just clarify this:

I am looking at a TCP packet with ethereal that looks like this:

06 bb 09 75 74 0c e2 c4 00 00 00 00 50 04 00 00 d4 4a 00

I want the rule to fire on the pattern 00 50 04

I have a rule that looks like:

content:"|00 50 04|"

yet it doesnt fire. Is there something that I have missed?

Thanks.


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users






--
_________________
Paul Halliday
http://pintumbler.com/

"Diplomacy is the art of saying "Nice doggie!" till you can find a rock."


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: