Snort mailing list archives
RE: Noob question about different parts of a rule
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 28 Apr 2003 15:19:21 -0500
Here's what the rule means: If you see any established (flow:from_server_established) tcp (tcp) traffic from my network ($HOME_NET) coming from ports 12345 or 12346 going to any address not on my network ($EXTERNAL_NET) on any port (any) with a packet that has the string "NetBus" (content:"NetBus") in it, send me an alert. $HOME_NET and $EXTERNAL_NET are variables that *you* must define in the snort.conf file. One common definition is: $HOME_NET = 123.456.789.0/24 (your IP range) $EXTERNAL_NET = !$HOME_NET (not your IP range) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
-----Original Message----- From: stormshadow [mailto:storm-shadow () comcast net] Sent: Monday, April 28, 2003 2:51 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Noob question about different parts of a rule I was looking at this rule trying to learn what everything in there means: alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:4;) Can anyone explain this rule to me? I know that there are 3 modes right? (alert, log, and something else). What does the $HOME_NET and $EXTERNAL_NET mean? Why do you say "any"? Is this rule stating "alert any traffic outbound from port 12345 and 123456? Confused . TIA Storm ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Noob question about different parts of a rule stormshadow (Apr 28)
- Re: Noob question about different parts of a rule Matt Kettler (Apr 28)
- <Possible follow-ups>
- RE: Noob question about different parts of a rule Schmehl, Paul L (Apr 28)
- RE: Noob question about different parts of a rule L. Christopher Luther (Apr 28)