Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Questions after 1.9.1 install

From: John Sage <jsage () finchhaven com>
Date: Sat, 15 Mar 2003 10:07:32 -0800
On Sat, Mar 15, 2003 at 01:25:44AM -0500, Alberto Gonzalez wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all. Long time no post..


{ yawn... } Hello


alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"TCP inbound to 445 \
Win2k SMB";)



Hrm... lets take a look at this

(cervello is internal @ 192.168.1.4)

(root@cervello)(~) cat /etc/snort/rules/local.rules

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "TCP inbound to \
 445 Win2k SMB"; )

Then from my gateway 

(root@cerebro)(~) telnet 192.168.1.4 445
Trying 192.168.1.4...
telnet: connect to address 192.168.1.4: Connection refused
(root@cerebro)(~) 

I go back to cervello 

(root@cervello)(~) tail -f /var/log/snort/alert 


[**] [1:0:0] TCP inbound to 445 Win2k SMB [**]
[Priority: 0] 
03/15-01:24:28.795690 192.168.1.1:44904 -> 192.168.1.4:445
TCP TTL:51 TOS:0x0 ID:12719 IpLen:20 DgmLen:40
******S* Seq: 0x7DE72FFE  Ack: 0x0  Win: 0x1000  TcpLen: 20

It worked here, verified it on linux and openbsd. 


But was that the *only* rule in your local.rules?

It's not so much that the rule doesn't work, it's that it doesn't fire
while a more generic rules does, even when the specific rule is
*before* the generic one (to address Erek's question..) thus:


alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "TCP inbound to 445 Win2k SMB"; )

comes before the generic:

alert tcp $EXTERNAL_NET 1025:4320 -> $HOME_NET any (msg:"TCP inbound \
from range 1025-4320";)


Does -o also re-order rules within the class "alert" in addition to
re-ordeging the general classes?

I hadn't thought so..



- John
-- 
"You must define an operating system environment,
 or the configuration file build will puke."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: