Snort mailing list archives
Re: Help with custom rule
From: "Jim Forster" <jforster () rapidnet com>
Date: Thu, 26 Jul 2001 16:59:13 -0600
Using 'content' based rules will work much better for you. alert tcp $HOME_NET any -> !$HOME_NET 5032 (msg:"BACKDOOR SIGNATURE - NetMetro File List"; flags:PA; content:"|2D 2D|";) alert tcp $HOME_NET any -> !$HOME_NET 5032 (msg:"BACKDOOR SIGNATURE - NetMetro Outbound Data"; flags:PA;) 01/11-22:08:22.656050 192.168.0.2:1033 -> 192.168.0.1:5032 TCP TTL:128 TOS:0x0 ID:64256 DF ***PA* Seq: 0x27848F Ack: 0x3AE69B Win: 0x2238 61 3C 2E 2E 3E 20 20 20 20 20 20 20 20 20 20 20 a<..> 20 20 20 20 20 20 20 20 20 30 20 20 20 20 20 20 0 20 20 20 20 20 2D 2D 44 2D 2D 2D 2D --D---- 01/11-22:14:40.861530 192.168.0.1 -> 192.168.0.2:5031 TCP TTL:128 TOS:0x0 ID:39074 DF ***PA* Seq: 0x408104 Ack: 0x2D1EEC Win: 0x2238 72 61 70 70 76 01 rappv. ----- Original Message ----- From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> To: "Snort List (E-mail)" <snort-users () lists sourceforge net> Sent: Thursday, July 26, 2001 4:36 PM Subject: [Snort-users] Help with custom rule
I was wondering if anyone out there could help me with a custom rule? I'm using Snort 1.7 on Red Hat Linux 7.0. Here's the scenario. There are many default rules that come with Snort
that
check for certain destination ports, such as the Backdoor Netmetro Trojan
on
port 5032. So if a packet is seen with a destination port of 5032, Snort flags it as a Backdoor Netmetro trojan. The problem with this is that if a client happens to initiate a TCP handshake using 5032 as the random SOURCE port, our servers reply with 5032 as the destination port, triggering a Snort alert. This is normal TCP operation so it happens all the time. An example where x.x.x.x is a host on the Internet and y.y.y.y is my web server: x.x.x.x:5032 --> y.y.y.y:80 the web server replies to the host with: y.y.y.y:80 --> x.x.x.x:5032 This triggers a false positive for the Backdoor Netmetro. This type of
false
positive can obviously occur under any destination port. As a result we
get
TONS of false positives every day. Using the above example, I want to
create
a custom Snort rule that says "if the source port is NOT equal to 80 AND
the
destination port is 5032, THEN trigger an alert for the Backdoor NetMetro trojan. This would cut WAY down on the false positives I see every day against our web server. In other words, if our web server was not replying to the host on the Internet using port 80 as the source, then this would more likely not be part of a regular transaction and would at least cut
down
on the majority of false positives. The "not equal to" scenario would work great to cut down on a LOT of other false positives as well. Does anyone know if this can be done? Thanks, Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with custom rule Sheahan, Paul (PCLN-NW) (Jul 26)
- Re: Help with custom rule Jim Forster (Jul 26)
- <Possible follow-ups>
- RE: Help with custom rule Dell, Jeffrey (Jul 26)
- RE: Help with custom rule Sheahan, Paul (PCLN-NW) (Jul 27)