Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: R: Rule Creation Question !.

From: Michael Boman <michael () ayeka dyndns org>
Date: Wed, 2 Oct 2002 22:40:37 +0800
On Wed, Oct 02, 2002 at 12:09:14PM +0200, Moreno Poli wrote:

Is not easy becouse online I have one web server , one mail server ,one
proxy server and one snort pc.

I want  to be shure that to mail server arrive only tcp/25 and tcp/110
traffic , to web server arrive only tcp/80 and tcp/443 traffic , but
also I want  use all other rules for controll proxy traffic and  http,
smtp , and pop3 traffic. 


Ps- I'm not a  C Programmer.

Best Regards

Moreno Poli


You don't need to know C programming to use bpf filters...


This is what I can come up with:

ignore.bpf:

not (host $MAILSERVER and proto tcp and (port 25 or port 110)) and \
not (host $WEBSERVER and proto tcp and (port 80 or port 443)) and  \
not (host $PROXYSERVER and proto tcp and port $PROXYPORT)


local.rules:
log ip any any <> any any (msg:"Bad stuff";)

Start with (add other options as you see fit):
snort -F ignore.bpf -c snort.conf


DISCLAIMER: 
Wrote everything from the top of my head and is provided AS-IS. Please
double-check with the manual page for 'tcpdump' regarding the BPF
stuff.. Sitting in the wrong OS to be really helpful.. And don't foget
to change the $VALUES for the real stuff...


Best regards
 Michael Boman




-----Messaggio originale-----
Da: Michael Boman [mailto:michael () ayeka dyndns org] 
Inviato: mercoledì 2 ottobre 2002 3.23
A: Moreno Poli
Cc: snort-users () lists sourceforge net
Oggetto: Re: [Snort-users] Rule Creation Question !.


On Tue, Oct 01, 2002 at 04:39:34PM +0200, Moreno Poli wrote:

if i have a server with pop3 and smtp services, is possible create a 
rule that log all incoming traffic except  traffic for this 2 ports, i



know that is possible create a rule that log all traffic except 1 port



, but if the port are two or tree is possible ?
 
 
Moreno Poli


Yes, use bpf filters:

not port 25 and not port 110


Then you can ask snort to log everything, as it's totaly blind about
SMTP and POP3 traffic (never gets them).

'man tcpdump' will tell you how to write bpf filters, and snort manpage
will tell you how to use them.

Best regards
 Michael Boman

-- 
Michael Boman
Student, Husband, Geek. Not necessary in that order thought.




-- 
Michael Boman
Student, Husband, Geek. Not necessary in that order thought.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: