Snort mailing list archives
Re: Snort rule for and serives that run on non-standard port
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Wed, 17 Aug 2016 11:43:53 +0000
Hello, Sounds like you need to use the service command: " 2.7.5.1 Attribute Table Affect on rules Snort uses service information in two ways; initialization of detection engine and as a detection criteria. To take advantage of this, Snort rules must contain the metadata: service SERVICE convention specified. During rule evaluation the default behavior will check first that the packet has been matched to a service, and then check that the packet's service matches the service(s) specified in the rule; if both these checks passed then Snort will disable source and destination port checks for the rule. " http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node22.html#targetbased Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: amir zargaran <zargaran.amir () gmail com<mailto:zargaran.amir () gmail com>> Date: Wednesday, August 17, 2016 at 4:01 AM To: "snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>" <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>> Subject: [Snort-sigs] Snort rule for and serives that run on non-standard port dear all please help me how to create a rule for a services that run on non-standard and non-popular port. for example i want to create a rule for RDP terminal service that run on non-public (3389) port. BR amir
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort rule for and serives that run on non-standard port amir zargaran (Aug 17)
- Re: Snort rule for and serives that run on non-standard port Al Lewis (allewi) (Aug 17)