Educause Security Discussion mailing list archives
Re: writing SNORT rules
From: Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>
Date: Tue, 2 Dec 2008 12:26:59 -0500
Chris,Thanks! I meant to put where I am testing from in the original email message, but forgot. I am testing from a Verizon DSL line I have in my office. An alternate network is a godsend for testing.
I have this defined as well: portvar SSH_PORTS 22One of the sections in the snort.conf file I was look at/concerned about is -- don't know what all these are/mean:
# config checksum_mode: all config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts config disable_decode_drops p On Dec 2, 2008, at 11:47 AM, Chris Green wrote:
Write the rules out using only your CIDR notation and you get: (assuming you have SSH_PORTS defined)alert tcp !137.165.0.0/16 any -> 137.165.224.0/24 22 (flow:stateless; flags:S,12; msg: “test”; sid: 1234125);Where are you testing from? On campus?From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU ] On Behalf Of Peter CharbonneauSent: Tuesday, December 02, 2008 10:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] writing SNORT rules Good morningI have written 3 "quick and dirty" SNORT rules and am trying to follow the write/test/write/test/write/test/write/testUnfortunately even the first test isn't working. I never see the alert message for these rules in my alert log. Is there some other directive in the snort.conf file that could be precluding these stateless "hits" from being processed in some way?If you have any responses, we should probably take this off-line to keep the list from being clogged, unless, of course, this is a "class" problem for all first time rule writers. I think it's something stupid, but I just can't see it.These are the simplest rules I could think of with the ongoing process of modifying them for my final needs. My ultimate goal is to be able to grep the alert file for this LOCAL message and grab the timestamps; I want come up with a way to sanity check the duration of established ssh sessions to compare against host machine log files.Here are the rules: [root@netsniff emerging]# cat /usr/local/etc/rules/local.rules # $Id: local.rules,v 1.13 2005/02/10 01:11:04 bmc Exp $ # ---------------- # LOCAL RULES # ---------------- #alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS (flow:stateless; flags:S,12; msg: "LOCAL Connection attempt -- NetSys asset on port 22"; sid: 2008001;) alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS (flow:stateless; flags:F,12; msg: "LOCAL Connection termination -- NetSys asset on port 22"; sid: 2008002;) alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS (flow:stateless; flags:R,12; msg: "LOCAL Connection reset -- NetSys asset for port 22"; sid: 2008003;)[root@netsniff emerging]# The variables EXTERNAL_NET, NETSYS_NET, SSH_PORTS are all defined: var HOME_NET 137.165.0.0/16 var NETSYS_NET 137.165.224.0/24 var EXTERNAL_NET !$HOME_NET RULE_PATH is defined as var RULE_PATH /usr/local/etc/rulesHere is the portion of the snort.conf file that "includes" the local.rules file:# # Please read the specific include file for more information and# README.alert_order for how rule ordering affects how alerts are triggered.#========================================= include $RULE_PATH/local.rules # include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rulesI have stopped and restarted snort with the same command line I always use:snort -A full -i eth3 -N -K none -c /usr/local/etc/snort.conf -D PeteC Peter Charbonneau Sr. Network and Systems Administrator Williams College (413) 597-3408 (office) (413) 822-2922 (cell)
PeteC Peter Charbonneau Sr. Network and Systems Administrator Williams College (413) 597-3408 (office) (413) 822-2922 (cell)
Current thread:
- writing SNORT rules Peter Charbonneau (Dec 02)
- <Possible follow-ups>
- Re: writing SNORT rules Chris Green (Dec 02)
- Re: writing SNORT rules Peter Charbonneau (Dec 02)
- Re: writing SNORT rules Russell Fulton (Dec 02)