Snort mailing list archives
Some broken rules in 1.8-beta7 Build 36
From: Phil Wood <cpw () lanl gov>
Date: Mon, 2 Jul 2001 16:41:59 -0600
According to www.whitehats.com: IDS253 and IDS252 specifies (port >= 1024) -> (port any) In snort rule speak, the source port would be represented by: 1024:, not :1024 (<=1024) ddos.rules:alert tcp $INTERNAL :1024 -> $EXTERNAL any (msg: "DDOS shaft synflood outgoing"; flags: S; seq: 674711609; reference: arachnids,253; classtype: attempted-dos; sid:241; rev:1;) ===============================^ change to 1024: ddos.rules:alert tcp $EXTERNAL :1024 -> $INTERNAL any (msg: "DDOS shaft synflood incoming"; flags: S; seq: 674711609; reference: arachnids,252; classtype: attempted-dos; sid:242; rev:1;) ===============================^ change to 1024: Assuming the smtp server is INTERNAL, then most likely the port assigned by the smtp OS is >= 1024, or (1024:) and this rule is looking at the response from the EXTERNAL ident server. I think the explanation at whitehats is not correct in regards the internal port number range. vision.rules:alert TCP $EXTERNAL 113 -> $INTERNAL :1024 (msg: "IDS123/smtp_smtp-exploit8610"; flags: A+; content: "Croot|0d0a|Mprog, P=/bin/"; classtype: system-attempt; reference: arachnids,123;) ==================================================^ change to 1024: The responses to most web traffic are sent to ports >= 1024. Consequently, I would think that the destination port in the rule below should be 1024:. vision.rules:alert TCP $EXTERNAL 80 -> $INTERNAL :1024 (msg: "IDS496/client_client-netscape-gif-comment"; flags: P+; content: "GIF89a|0a|"; content: "parent.frames"; nocase; content: "form"; nocase; classtype: client-attempt; reference: arachnids,496;) ==================================================^ change to 1024: I could be wrong. Just want some clarification. Thanks, Phil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Some broken rules in 1.8-beta7 Build 36 Phil Wood (Jul 02)
- Re: Some broken rules in 1.8-beta7 Build 36 Brian Caswell (Jul 02)