Snort mailing list archives
Re: R: Rule Creation Question !.
From: Michael Boman <michael () ayeka dyndns org>
Date: Wed, 2 Oct 2002 22:40:37 +0800
On Wed, Oct 02, 2002 at 12:09:14PM +0200, Moreno Poli wrote:
Is not easy becouse online I have one web server , one mail server ,one proxy server and one snort pc. I want to be shure that to mail server arrive only tcp/25 and tcp/110 traffic , to web server arrive only tcp/80 and tcp/443 traffic , but also I want use all other rules for controll proxy traffic and http, smtp , and pop3 traffic. Ps- I'm not a C Programmer. Best Regards Moreno Poli
You don't need to know C programming to use bpf filters... This is what I can come up with: ignore.bpf: not (host $MAILSERVER and proto tcp and (port 25 or port 110)) and \ not (host $WEBSERVER and proto tcp and (port 80 or port 443)) and \ not (host $PROXYSERVER and proto tcp and port $PROXYPORT) local.rules: log ip any any <> any any (msg:"Bad stuff";) Start with (add other options as you see fit): snort -F ignore.bpf -c snort.conf DISCLAIMER: Wrote everything from the top of my head and is provided AS-IS. Please double-check with the manual page for 'tcpdump' regarding the BPF stuff.. Sitting in the wrong OS to be really helpful.. And don't foget to change the $VALUES for the real stuff... Best regards Michael Boman
-----Messaggio originale----- Da: Michael Boman [mailto:michael () ayeka dyndns org] Inviato: mercoledì 2 ottobre 2002 3.23 A: Moreno Poli Cc: snort-users () lists sourceforge net Oggetto: Re: [Snort-users] Rule Creation Question !. On Tue, Oct 01, 2002 at 04:39:34PM +0200, Moreno Poli wrote:if i have a server with pop3 and smtp services, is possible create a rule that log all incoming traffic except traffic for this 2 ports, iknow that is possible create a rule that log all traffic except 1 port, but if the port are two or tree is possible ? Moreno PoliYes, use bpf filters: not port 25 and not port 110 Then you can ask snort to log everything, as it's totaly blind about SMTP and POP3 traffic (never gets them). 'man tcpdump' will tell you how to write bpf filters, and snort manpage will tell you how to use them. Best regards Michael Boman -- Michael Boman Student, Husband, Geek. Not necessary in that order thought.
-- Michael Boman Student, Husband, Geek. Not necessary in that order thought. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: R: Rule Creation Question !. Michael Boman (Oct 02)