Snort mailing list archives
RE: Noob question about different parts of a rule
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Mon, 28 Apr 2003 16:51:43 -0400
HOME_NET and EXTERNAL_NET are variables defined in snort.conf -- they're usually your home network number and the 'outside' network (or !$HOME_NET), respectively. The rule states that any packet originating from the home network using TCP source ports 12345 or 12346 going to 'any' destination TCP port on the external network, and contains the text 'NetBus' within the packet data, should generate an 'alert' telling you that there is NetBus activity on your home network. Pretty simple. :) Cheers! -----Original Message----- From: stormshadow [mailto:storm-shadow () comcast net] Sent: Monday, April 28, 2003 3:51 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Noob question about different parts of a rule I was looking at this rule trying to learn what everything in there means: alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:4;) Can anyone explain this rule to me? I know that there are 3 modes right? (alert, log, and something else). What does the $HOME_NET and $EXTERNAL_NET mean? Why do you say "any"? Is this rule stating "alert any traffic outbound from port 12345 and 123456? Confused . TIA Storm ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Noob question about different parts of a rule stormshadow (Apr 28)
- Re: Noob question about different parts of a rule Matt Kettler (Apr 28)
- <Possible follow-ups>
- RE: Noob question about different parts of a rule Schmehl, Paul L (Apr 28)
- RE: Noob question about different parts of a rule L. Christopher Luther (Apr 28)