Snort mailing list archives
Re: port ranges/selection
From: "Jim Forster" <jforster () rapidnet com>
Date: Thu, 19 Jul 2001 08:20:18 -0600
Jon, Here's a client.rules file I use when I want to watch traffic to a specific system. Anything that is not listed as 'pass' in this file will be logged to file. You can simply add these to your local.rules file, or add it as client.rules to your snort.conf file. (easier to turn on and off when you need it) You can just remove the ones you want alerted on, but I posted the whole file in case other users may find it useful. Be sure to use the -o option to allow the 'pass' rules first. var CLIENT [client.ip.address/32] pass tcp any 21 <> $CLIENT any pass tcp any 22 <> $CLIENT any pass tcp any 25 <> $CLIENT any pass udp any 53 <> $CLIENT any pass tcp any 53 <> $CLIENT any pass tcp any 80 <> $CLIENT any pass tcp any 110 <> $CLIENT any pass udp any 137 <> $CLIENT any pass udp any 138 <> $CLIENT any pass udp any 139 <> $CLIENT any pass tcp any 143 <> $CLIENT any pass tcp any 443 <> $CLIENT any pass tcp any 1433 <> $CLIENT any alert tcp any any <> $CLIENT any (msg:"TCP"; logto:"TCP";) alert udp any any <> $CLIENT any (msg:"UDP"; logto:"UDP";) alert icmp any any <> $CLIENT any (msg:"ICMP"; logto:"ICMP";) Hope that helps! Jim Forster Network Administrator RapidNet, A Golden West Company -------------------------------------------------------- http://www.snort.org ----- Original Message ----- From: "Jonathan J. Hart" <jhart () ccs neu edu> To: <snort-users () lists sourceforge net> Sent: Wednesday, July 18, 2001 7:59 PM Subject: [Snort-users] port ranges/selection
Hey there, I'm trying to write a rule that'll log and alert me of all traffic _not_ on a set of ports. For example, I want to log all traffic to a machine that is not bound for port 21, 80, or 443. I can do a single port (i.e., !X where X is the port number), but that only works when I want to eliminate a single port. Is there a syntax that'll allow this? I'd like to do something like: alert tcp ![$myhosts] any -> $WEB_SERVER ![21,80,443] (msg: "Foo";) ...where that'd log all connections from the world to ports other than 21,80,443. Ideas? I checked the man pages, the updated "writing snort rules" document and every example I could find locally and on the web without success. I can do this from the command line using the tcpdump-ish syntax: snort -i xl0 -Cvd ! port 80 and ! port 21 and ! port 443 And that gets me the expected results. Thanks for any help/clues you can give me. -jon _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- port ranges/selection Jonathan J. Hart (Jul 18)
- Re: port ranges/selection Jim Forster (Jul 19)