Snort mailing list archives
Re: help writing snort rule
From: "Bill Lopez" <Bill () oefi org>
Date: Fri, 26 Jan 2007 15:39:14 -0800
/etc/snort/snort.conf #-------------------------------------------------- # http://www.snort.org Snort 2.6.1.2 Ruleset # Contact: snort-sigs () lists sourceforge net #-------------------------------------------------- # $Id$ # ################################################### # Set up the external network addresses as well. A good start may be "any" var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/2 4,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.15 3.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /etc/snort/rules preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes preprocessor smtp: \ ports { 25 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } #10.0.0.33 is the local machine preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } \ ignore_scanners { 10.0.0.33 } preprocessor dcerpc: \ autodetect \ max_frag_size 3000 \ memcap 100000 preprocessor dns: \ ports { 53 } \ enable_rdata_overflow include classification.config include reference.config include $RULE_PATH/BILL.rules _______________________________________________________________ Snort command line to start /usr/sbin/snort -A console -l /var/log/snort/ -h 10.0.0.0/24 \ -c /etc/snort/snort.conf _______________________________________________________________ /etc/snort/rules/BILL.rules alert tcp $HOME_NET any -> any any \ (pcre:"/ \d{3}(|-)\d{2}(|-)\d{4} /"; msg:"SSN Detected in Clear \ Text-Bill's Rule"; sid: 1000004; ) alert udp $HOME_NET any -> any any \ (pcre:"/ \d{3}(|-)\d{2}(|-)\d{4} /"; msg:"SSN Detected in Clear \ Text-Bill's Rule"; sid: 1000005; ) alert tcp $HOME_NET any -> any any \ (pcre:"/ \d\d\d-\d\d-\d\d\d\d /"; msg:"SSN Detected in Clear \ Text-Lou's Rule"; sid: 1000007; ) alert udp $HOME_NET any -> any any \ (pcre:"/ \d\d\d-\d\d-\d\d\d\d /"; msg:"SSN Detected in Clear \ Text-Lou's Rule"; sid: 1000008; ) ----------------------------------------------------------------- Still no alert with an e-mail containing 555-55-5555 in the body or subject?? Bill Lopez Operating Engineers Trust Funds (626) 356-3524 (626) 255-1066 -----Original Message----- From: Blake Hartstein [mailto:bhartstein () demarc com] Sent: Friday, January 26, 2007 11:48 AM To: Bill Lopez Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] help writing snort rule Bill Lopez wrote:
which doesn't produce an alert either - eventually I want to apply this filter to just traffic from/to mail , telnet, ftp (etc) servers -
I can send any variance of xxx-xx-xxxx, xxxxxxxx or xxx xx xxxx via an
e-mail, text file attachment or file upload and still never see an alert to the console. I have a simple rule to check for content using a keyword and get alerted when sending that keyword with e-mail, attachment and file upload (this was my test to see if snort was actually alerting correctly) I am only running my test rules with an out of the box snort.conf file. Why wouldn't either of the above rules alert with (for example) an e-mail sent with 555-55-5555 in the body?
Bill, Can you please paste how you are running snort on the command line, and if you changed anything in your snort.conf please post that information too. This type of traffic should be seen by snort and the rules you created should alert. Perhaps, snort isn't seeing the traffic you are expecting, try running # snort -vde -i eth0 to see what snort sees. or if you are running from a pcap you might need to use config checksum_mode: none If you captured the file from the localhost. Also, which port is this traffic intended for? You might need to configure your flow_depth on http_inspect if you are seeing this deep within the packet, rather than just in the headers. -Blake -- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- help writing snort rule Bill Lopez (Jan 25)
- Re: help writing snort rule Nerijus Krukauskas (Jan 25)
- Re: help writing snort rule Matt Jonkman (Jan 26)
- Re: help writing snort rule Joel Esler (Jan 26)
- <Possible follow-ups>
- Re: help writing snort rule Bill Lopez (Jan 26)
- Re: help writing snort rule Joel Esler (Jan 26)
- Re: help writing snort rule Blake Hartstein (Jan 26)
- Re: help writing snort rule Bill Lopez (Jan 26)