Snort mailing list archives

Re: newbie-writing rules help

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 22 Jul 2002 17:24:26 -0400

Snort does not currently support this kind of comma-delimited port list.

I can see two ways to handle your problem

1) use pass rules to pass port 23, 80, and 8000-8003 then a blanket alertthat picks up anything. You'll also need to change the rule ordering with acommand line parameter.

2) use a couple of port-ranged rules (probably simpler to set up, might beless efficient):

alert tcp any any -> <SERVER IP> [1-22] (msg:"Er";)
alert tcp any any -> <SERVER IP> [24-79] (msg:"Er";)
alert tcp any any -> <SERVER IP> [81-8000] (msg:"Er";)
alert tcp any any -> <SERVER IP> [8004-65535] (msg:"Er";)

Note that you do NOT want "any" for the destination IP, since the outboundtraffic from your webserver would trigger the rule (it would be from port80, to an outside machine on some random port >1024, so any time anyoneaccessed your website it would go off for all of the response traffic).

You might also want to consider adding a flags:S+, so that only the synsequence sets it off.

I also take it that the server in question is not allowed to act as aclient and browse web pages on the outside, download files, etc.




At 01:38 PM 7/22/2002 -0700, charella constansia wrote:

hai,

I hav a question! I'm a newbie so maybe this sounds
like a stupid question to you but please help me.

I want to write some rules.
I problem is that I have a server and only certain
activities are allowed.

For example only traffic from the outside going to
port :80,23,8000,8001,8002 and a few more are allowed.
How must I define this;
I thought of:
alert tcp any anu -> any 1[80,23,8000,8001,8002]
(msg:"Er";)
Is this good. I looked in the Snort users manual but I
couldn't find the answer.

Thanks, I hope that somebody can help me.

sharella () yahoo com

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: newbie-writing rules help McCammon, Keith (Jul 22)
- <Possible follow-ups>
- newbie-writing rules help charella constansia (Jul 22)
  - Re: newbie-writing rules help Erek Adams (Jul 22)
  - Re: newbie-writing rules help Matt Kettler (Jul 22)