Snort mailing list archives
Re: Custom Snort Rule Problem
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 28 Nov 2012 20:25:53 -0500
Write content matches for the Dns traffic itself. -- Joel Esler Sent from my iPhone On Nov 28, 2012, at 6:29 PM, Jeremy Hoel <jthoel () gmail com> wrote:
I'm not sure how you could write that with content matchs for unknown things. IE: we have a /16 and some VPN nets.. and so while we don't expect this rule to fire often, it still does. I could put HOME_NET in first, but that would include the DNS servers I do'nt care about.. so then maybe define HOME_NOT_DNS and then rewrite the rule as alert tcp HOME_NOT_DNS any -> !$DNS_SERVERS 53 (msg:"DNS traffic not to-from DNS server"; classtype: misc-activity;sid:1000080;) Like that? On Wed, Nov 28, 2012 at 11:12 PM, JJC <cummingsj () gmail com> wrote:You really want some content matches in there, dramatic performance increase. Sent from my iPad On Nov 28, 2012, at 16:26, Jeremy Hoel <jthoel () gmail com> wrote:We do a version of this on our network.. var DNS_SERVERS [8.8.8.8,8.8.4.4, <other trusted DNS servers on local subnet>] alert tcp !$DNS_SERVERS any -> !$DNS_SERVERS 53 (msg:"DNS traffic not to-from DNS server"; classtype: misc-activity;sid:1000080;) alert udp !$DNS_SERVERS any -> !$DNS_SERVERS 53 (msg:"DNS traffic not to-from DNS server"; classtype: misc-activity;sid:1000081;) so that anything that we see that's not to a DNS server we want, we know about.. from inside out or other way around. I don't know that you can do your IP declarations like that when you are making the rule. On Wed, Nov 28, 2012 at 9:48 PM, Ryan Martin <rmartin () internet2 edu> wrote:Hello everyone, I've been working on some rules lately and can't figure out why the rule below won't work. It won't trigger on anything, even when I purposefully put traffic out there that should trigger it. I've read the snort manual sections for the structure of a rule and IP Variables/IP Lists on how to exclude IP addresses from a block of IP's and such. I also dug up some other online resources. I'm not sure what the issue is, but if anyone out there could point me in the right direction on figuring out what my issue is, I'd be greatly appreciative. Rule: alert udp [$HOME_NET,![$DNS_SERVERS]] any -> [$EXTERNAL_NET,![8.8.8.8,8.8.4.4]] 53 (msg:"BLAH BLAH BLAH"; class type:trojan-activity; sid:1000006; rev:1;) It is the intent of the rule to trigger on all devices (but not the DNS servers) using a DNS server that we did not approve. Google's DNS servers are in there because we use them on some of our other machines. I'll worry about the DNS TCP traffic rule once I get this one figured out. Thanks for any help, -Ryan ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: VERIFY Test and improve your parallel project with help from experts and peers. http://goparallel.sourceforge.net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Custom Snort Rule Problem Ryan Martin (Nov 28)
- Re: Custom Snort Rule Problem Jeremy Hoel (Nov 28)
- Re: Custom Snort Rule Problem JJC (Nov 28)
- Re: Custom Snort Rule Problem Jeremy Hoel (Nov 28)
- Re: Custom Snort Rule Problem Joel Esler (Nov 28)
- Re: Custom Snort Rule Problem JJC (Nov 28)
- Re: Custom Snort Rule Problem Jeremy Hoel (Nov 28)
- Re: Custom Snort Rule Problem JJC (Nov 29)
- Re: Custom Snort Rule Problem Ryan Martin (Nov 29)
- Re: Custom Snort Rule Problem JJC (Nov 28)
- Re: Custom Snort Rule Problem Jeremy Hoel (Nov 28)