Snort mailing list archives
Re: real basic starter rules
From: Harry Putnam <reader () newsguy com>
Date: Thu, 25 Apr 2002 20:13:09 -0700
Phil Wood <cpw () lanl gov> writes: [...]
A few of the things I tried after reading some of it seemed not to do what I understood they should: 1) The bidirectional example caught my attention. log !192.168.1.0/24 any <> 192.168.1.0/24 23 Only I couldn't see why the NOT (!) operator was in there.First, fix the rule. You did not have a protocol specified after the 'log'.
Well at least it wasn't just me screwing up I guess. I clipped that
from the manual. The verbatim passage is:
Section 2.2.5
[...]
log !192.168.1.0/24 any <> 192.168.1.0/24 23
Figure 2.8: Snort rules using the Bidirectional Operator
Then think of 192.168.1.0 as host A and !192.168.1.0 as NOT A (lets call him B).
Then the rule above will log the following:
B(any port) to A(telnet[23] port)
and
A(telnet port) to B(any port)
Basically, it will log both traffic to and from the telnet daemon* on A.
OK, I get it now, I think, but it seems `any' could have been used instead of !192.168.1.0/24. Or would that cause double entries or something? [...]
log tcp 192.168.0.6 any -> 128.111.24.43 21Let's just stop the foo.
Ok, foo stopped... Following directions:
Do this:
echo 'log tcp !128.111.24.43 any <> 128.111.24.43 21' > snort.conf
rm -rf log
mkdir log
snort -d -l log -c snort.conf
Then run your ftp to 128.111.24.43 and quit.
Then break out of the snort process.
Then:
cd log
and cd to the directory that has the address of your client
which better not be 128.111.24.43, and look in the file:
TCP:xxxxx-21 (where xxxxx is the source port from the ftp
client)
If you don't see massive quanties of ftp foo going both ways.
Hot dog... there it is.
Now, did you know that ftp (port 21) is only used for commands and not ftp data. So, you won't see any ftpdata in the file, just the tcp handshake, any ftp protocol exchanges, and finally the FIN exchange.
Yup... Thanks for the lesson. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- real basic starter rules Harry Putnam (Apr 24)
- Re: real basic starter rules Phil Wood (Apr 25)
- Re: real basic starter rules Harry Putnam (Apr 25)
- Re: real basic starter rules Harry Putnam (Apr 26)
- Re: real basic starter rules Rich Adamson (Apr 27)
- Re: real basic starter rules Harry Putnam (Apr 27)
- Re: real basic starter rules Harry Putnam (Apr 25)
- Re: real basic starter rules Phil Wood (Apr 25)