Re: Snort Rule Creation

[John G <drterdnugget () gmail com>]

Hey Joel.  Yes I do.  I just left is an "any" because i was trying
everything to get it to alert lol But we are thinking that the issue is not
rule related.

On Tue, Jan 31, 2017 at 7:57 PM, Joel Esler (jesler) <jesler () cisco com>
wrote:

> You know you can do ![80,443] as ports right?
>
> --
> Sent from my iPhone
>
> On Jan 31, 2017, at 8:50 PM, John G <drterdnugget () gmail com> wrote:
>
> That is from Sourcefire.  This is what the actual rule looks like now.
>
> alert ip !Source address any <> [All, 8, destination, addresses] any
> (sid:1000000; gid:1; msg:"Unwanted Traffic"; classtype:tcp-connection;
> rev:5; )
>
> The rule should work right?   Might be an issue with the way our network
> is setup and where our ids is located.
>
> On Tue, Jan 31, 2017 at 7:41 PM, Desmond Agee <dezmondagee () yahoo com>
> wrote:
>
> > What program is that a snap-shot of?
> >
> > Desmond Agee
> >
> > On Jan 31, 2017, at 8:27 PM, John G <drterdnugget () gmail com> wrote:
> >
> > Alright, so this is basically what I did.
> >
> > Alert ip !SOURCEIP any [8, Destination, IP's] any (msg:”Unauthorized TCP
> > traffic initiated”;)
> >
> > I figured out that you can negate with ! in front of the IP's.  To test
> > it, I have been sending ping packets to the destination IP's from a source
> > ip address that is NOT what i entered in the Source IP part of the rule.
> > However, I am not receiving any alerts.  Do i need to add arguments to look
> > for tcp traffic?
> >
> > On Tue, Jan 31, 2017 at 5:58 PM, John G <drterdnugget () gmail com> wrote:
> >
> > > Forgot to attach the screenshot.
> > >
> > > On Tue, Jan 31, 2017 at 5:09 PM, Joel Esler (jesler) <jesler () cisco com>
> > > wrote:
> > >
> > > > Maybe something like:
> > > >
> > > > alert tcp $SOURCEIP any -> ![destip1, destip2, destip3] any
> > > > (msg:”Unauthorized TCP traffic initiated”; flags:S; sid:1000000; rev:1;)
> > > >
> > > >
> > > > ?
> > > >
> > > >
> > > > *--*
> > > > *Joel Esler *| *Talos:* Manager | jesler () cisco com
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Jan 31, 2017, at 5:33 PM, John G <drterdnugget () gmail com> wrote:
> > > >
> > > > Good Afternoon everyone,
> > > >
> > > > My name is John and I am starting out with creating Snort rules.  I
> > > > have experience using Snort with IDS's such as Sourcefire and Security
> > > > Onion for incident response.  However, i don't have much experience
> > > > creating custom rules.  Although i once created a rule during one of my
> > > > security classes during my undergrad program lol  Anyway, i have been
> > > > reading documentation for how to understand/create rules from a variety of
> > > > sources.  But I wanted to reach out to you guys and see what information
> > > > you can provide.
> > > >
> > > > I have a device that is communicating with about 8 other devices.  I
> > > > would like to write a rule that alerts if it detects any communication
> > > > outside of those devices.
> > > >
> > > > Is it possible to list multiple ip addresses within a rule and maybe
> > > > use an is not "!=" attribute.
> > > >
> > > > So something like: alert tcp != sourceip1  80 -> destip1, destip2,
> > > > destip3, etc (msg:"Alert Message";)
> > > >
> > > > I would appreciate any assistance and will continue to do my own
> > > > research and see if i can figure it out on my own :)
> > > >
> > > > Regards,
> > > > John
> > > > ------------------------------------------------------------
> > > > ------------------
> > > > Check out the vibrant tech community on one of the world's most
> > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot______
> > > > _________________________________________
> > > > Snort-sigs mailing list
> > > > Snort-sigs () lists sourceforge net
> > > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > > >
> > > > http://www.snort.org
> > > >
> > > > Please visit http://blog.snort.org for the latest news about Snort!
> > > >
> > > > Visit the Snort.org to subscribe to the official Snort ruleset, make
> > > > sure to stay up to date to catch the most <a href="
> > > > https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> > http://www.snort.org
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> > Visit the Snort.org to subscribe to the official Snort ruleset, make
> > sure to stay up to date to catch the most <a href="
> > https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!