Snort mailing list archives

Help with custom rule

From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Thu, 26 Jul 2001 18:36:58 -0400


I was wondering if anyone out there could help me with a custom rule? I'm
using Snort 1.7 on Red Hat Linux 7.0.

Here's the scenario. There are many default rules that come with Snort that
check for certain destination ports, such as the Backdoor Netmetro Trojan on
port 5032. So if a packet is seen with a destination port of 5032, Snort
flags it as a Backdoor Netmetro trojan. The problem with this is that if a
client happens to initiate a TCP handshake using 5032 as the random SOURCE
port, our servers reply with 5032 as the destination port, triggering a
Snort alert. This is normal TCP operation so it happens all the time.

An example where x.x.x.x is a host on the Internet and y.y.y.y is my web
server:

x.x.x.x:5032   -->   y.y.y.y:80
the web server replies to the host with:
y.y.y.y:80    -->    x.x.x.x:5032

This triggers a false positive for the Backdoor Netmetro. This type of false
positive can obviously occur under any destination port. As a result we get
TONS of false positives every day. Using the above example, I want to create
a custom Snort rule that says "if the source port is NOT equal to 80 AND the
destination port is 5032, THEN trigger an alert for the Backdoor NetMetro
trojan. This would cut WAY down on the false positives I see every day
against our web server. In other words, if our web server was not replying
to the host on the Internet using port 80 as the source, then this would
more likely not be part of a regular transaction and would at least cut down
on the majority of false positives. The "not equal to" scenario would work
great to cut down on a LOT of other false positives as well. Does anyone
know if this can be done?


Thanks,
Paul

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Help with custom rule Sheahan, Paul (PCLN-NW) (Jul 26)
- Re: Help with custom rule Jim Forster (Jul 26)
- <Possible follow-ups>
- RE: Help with custom rule Dell, Jeffrey (Jul 26)
- RE: Help with custom rule Sheahan, Paul (PCLN-NW) (Jul 27)