Snort mailing list archives
Re: Newbie question on gnutella rule
From: Michael Boman <michael.boman () securecirt com>
Date: Sun, 14 Dec 2003 12:42:47 +0800
On Sat, 2003-12-13 at 23:47, Josh Berry wrote:
Since you are using a proxy, all of you web clients are sending GET requests for web pages to the proxy server on port 8080. This rule will alrm if it seems any GET request going to any port except 80. Maybe you could create a port list of ports that you expect to see GET requests on, just add !8080 to what is already there (!80). I believe that you have to do this like: [!80,!8080]
That won't work. Snort doesn't support port lists yet (dunno when we will have it either.. Last time I heard anything about it they (as in snort coders) was looking for a good algorithm IIRC). What you could do is to create a pass rule for it instead. Make sure you don't make your pass rule too generic, in which case you will miss valid alerts. What I usually do is that I duplicate the rule, change "alert" to "pass" and make sure that "-o" option for snort is there. Also assign it a new sid (reserved local rules have sid 1000000+, ie one million and above [IIRC - check the documentation]). Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- a couple of questions Giannakis Eleftherios (Dec 11)
- Re: a couple of questions Matt Kettler (Dec 11)
- Re: a couple of questions Giannakis Eleftherios (Dec 12)
- Newbie question on gnutella rule Chris Hoover (Dec 13)
- Re: Newbie question on gnutella rule Josh Berry (Dec 13)
- Re: Newbie question on gnutella rule Michael Boman (Dec 13)
- Re: a couple of questions Matt Kettler (Dec 11)
- <Possible follow-ups>
- RE: a couple of questions DeBerry, Casey (Dec 11)