Snort mailing list archives
RE: Test question
From: Jim Forster <jforster () rapidnet com>
Date: Tue, 18 Dec 2001 11:06:16 -0700 (MST)
That's exactly right. On many of the 'content' rules with pipes in them, I just sniff the traffic between two systems. My usual testing goes like this- 1-Set up Snort to be ready to watch all exchanges between the boxes. 2-Start the exploit / attack and log for 15-30 seconds 3-Fine tune the Snort rules to watch the ports that were involved, and break each type traffic out to a different log file. (I.E. = logto:"TCP") 4-Then it's just a matter of digging through the code for a good fingerprint. Once I have a few that look good, I'll create rules for them and open Snort back up to watch all traffic. - I usually run it a few weeks just to watch for false-positives out of normal traffic. If we get good triggers when we test the exploit (or even better in a real world attack) we've got a new rule. (yes, my home systems get formatted quite often) :) Hope that helps! Jim Forster Network Administrator RapidNet, A Golden West Company ------------------------------- On Tue, 18 Dec 2001, Ryan Russell wrote:
On Mon, 17 Dec 2001, Ronneil Camara wrote:For me, I really appreciate seeing stuff in rules like content:"|ffff ff2f 4249 4e2f 5348 00|". How the hell did that guy come up with this rule!?! :-)That's machine code from a particular exploit. I was likely pulled off the wire using a sniffer of some kind, or taken from the source code for the exploit. Many of the rules were done using a sniffer. Developing a rule like this is a tradeoff. The above rule is probably fairly specific, in that it will watch for a particular exploit, and tend to not have a lot of false positives. On the other hand, it's specific to that exploit, so that if someone else write a different exploit, this rule may not catch it, even though it's exploiting the same hole. Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Test question, (continued)
- Re: Test question Paul Cardon (Dec 16)
- RE: Test question Ronneil Camara (Dec 16)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question Erik Fichtner (Dec 17)
- RE: Test question Ronneil Camara (Dec 17)
- Re: Test question Phil Wood (Dec 17)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question George Patterson (Dec 18)
- RE: Test question Ronneil Camara (Dec 17)
- RE: Test question Ryan Russell (Dec 18)
- RE: Test question Jim Forster (Dec 18)
- RE: Test question Ryan Russell (Dec 18)