Re: Custom Snort Rule Problem

[JJC <cummingsj () gmail com>]

You really want some content matches in there, dramatic performance increase.

Sent from my iPad

On Nov 28, 2012, at 16:26, Jeremy Hoel <jthoel () gmail com> wrote:

> We do a version of this on our network..
>
> var DNS_SERVERS [8.8.8.8,8.8.4.4, <other trusted DNS servers on local subnet>]
>
> alert tcp !$DNS_SERVERS any -> !$DNS_SERVERS 53 (msg:"DNS traffic not
> to-from DNS server"; classtype: misc-activity;sid:1000080;)
> alert udp !$DNS_SERVERS any -> !$DNS_SERVERS 53 (msg:"DNS traffic not
> to-from DNS server"; classtype: misc-activity;sid:1000081;)
>
> so that anything that we see that's not to a DNS server we want, we
> know about.. from inside out or other way around.
>
> I don't know that you can do your IP declarations like that when you
> are making the rule.
>
>
> On Wed, Nov 28, 2012 at 9:48 PM, Ryan Martin <rmartin () internet2 edu> wrote:
> > Hello everyone,
> >
> > I've been working on some rules lately and can't figure out why the rule
> > below won't work.  It won't trigger on anything, even when I purposefully
> > put traffic out there that should trigger it.
> >
> > I've read the snort manual sections for the structure of a rule and IP
> > Variables/IP Lists on how to exclude IP addresses from a block of IP's and
> > such.  I also dug up some other online resources.  I'm not sure what the
> > issue is, but if anyone out there could point me in the right direction on
> > figuring out what my issue is, I'd be greatly appreciative.
> >
> > Rule:
> >
> > alert udp [$HOME_NET,![$DNS_SERVERS]] any ->
> > [$EXTERNAL_NET,![8.8.8.8,8.8.4.4]] 53 (msg:"BLAH BLAH BLAH"; class
> > type:trojan-activity; sid:1000006; rev:1;)
> >
> > It is the intent of the rule to trigger on all devices (but not the DNS
> > servers) using a DNS server that we did not approve.  Google's DNS servers
> > are in there because we use them on some of our other machines.  I'll worry
> > about the DNS TCP traffic rule once I get this one figured out.
> >
> > Thanks for any help,
> >
> > -Ryan
> >
> > ------------------------------------------------------------------------------
> > Keep yourself connected to Go Parallel:
> > INSIGHTS What's next for parallel hardware, programming and related areas?
> > Interviews and blogs by thought leaders keep you ahead of the curve.
> > http://goparallel.sourceforge.net
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
>
> ------------------------------------------------------------------------------
> Keep yourself connected to Go Parallel: 
> INSIGHTS What's next for parallel hardware, programming and related areas?
> Interviews and blogs by thought leaders keep you ahead of the curve.
> http://goparallel.sourceforge.net
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!