Snort mailing list archives
rule help for a beginner [long sorry]
From: eamonn doyle <edoyle () faxsr com>
Date: Wed, 14 Apr 2004 17:36:46 -0500
Hello, I am trying to modify an existing rule that is giving me some problems: # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al. # All rights reserved. # $Id: p2p.rules,v 1.11 2003/10/20 15:03:11 chrisgreen Exp $ #------------- # P2P RULES #------------- # These signatures look for usage of P2P protocols, which are usually # against corporate policy This link below does state that " Any HTTP GET request to a port associated with a p2p application may generate a false positive event." http://www.snort.org/snort-db/sid.html?sid=1432 So I should I guess be expecting it, even thoughit appears to be a false positive in my environment. I have users that connect to MS Livemeeting service and every time they do, this rule is triggered: alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:policy-violation; sid:1432; rev:4;) Alarms: ===================================================== Apr 13 17:06:53 snort1 snort: [1:1432:4] P2P GNUTella GET [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 172.16.15.32:40361 -> 204.176.46.191:8005 Apr 13 17:09:41 snort1 snort: [1:1432:4] P2P GNUTella GET [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 172.16.5.57:2821 -> 204.176.46.185:8005 Apr 13 17:40:57 snort1 snort: [1:1432:4] P2P GNUTella GET [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 172.16.15.32:40541 -> 204.176.46.191:8005 Apr 13 17:43:06 snort1 snort: [1:1432:4] P2P GNUTella GET [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 172.16.15.4:7407 -> 204.176.46.190:8005 ===================================================== whois data: ===================================================== doyle@spar:~> whois 204.176.46.191 UUNET Technologies, Inc. UUNETCBLK176-179 (NET-204-176-0-0-1) 204.176.0.0 - 204.179.255.255 Placeware, Inc. UU-204-176-46-D2 (NET-204-176-46-0-1) 204.176.46.0 - 204.176.46.255 ===================================================== Placeware=livemeeting now that MS bought them. ================================ I have added a variable to my snort.conf to use in the rule: # modify the p2p rule to avoid detection on the livemeeting servers. var LIVEMEETING 204.176.46.0/24 And I have modified the rule as follows adding the !$LIVEMEETING and the []: alert tcp $HOME_NET any -> [$EXTERNAL_NET,!$LIVEMEETING] !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:policy-violation; sid:1432; rev:4;) Then restarted everything with no complaints from the logs, but I still seem to get the alarms. snort1:/var/log/snort/204.176.46.190 # cat TCP\:8005-7407 [**] P2P GNUTella GET [**] 04/13-17:43:06.769467 172.16.15.4:7407 -> 204.176.46.190:8005 TCP TTL:128 TOS:0x0 ID:30612 IpLen:20 DgmLen:267 DF ***AP*** Seq: 0xA5D85ECC Ack: 0xE00C147 Win: 0xFD5C TcpLen: 20 47 45 54 20 2F 70 61 67 65 20 48 54 54 50 2F 31 GET /page HTTP/1 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 .1..User-Agent: 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D Mozilla/4.0 (com 70 61 74 69 62 6C 65 20 3B 20 4D 53 49 45 20 36 patible ; MSIE 6 2E 30 2E 32 38 30 30 2E 31 31 30 36 20 3B 20 4D .0.2800.1106 ; M 69 63 72 6F 73 6F 66 74 20 57 69 6E 64 6F 77 73 icrosoft Windows 20 32 30 30 30 20 53 65 72 76 69 63 65 20 50 61 2000 Service Pa 63 6B 20 33 20 3B 20 50 6C 61 63 65 77 61 72 65 ck 3 ; Placeware 20 52 50 43 20 31 2E 30 29 0D 0A 48 6F 73 74 3A RPC 1.0)..Host: 20 76 61 70 77 62 64 2E 6F 70 73 2E 70 6C 61 63 vapwbd.ops.plac 65 77 61 72 65 2E 63 6F 6D 3A 38 30 30 35 0D 0A eware.com:8005.. 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 Connection: Keep 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43 6F -Alive..Cache-Co 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D ntrol: no-cache. 0A 0D 0A Is there something very obvious that I am doing wrong? Thanks Eamonn ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rule help for a beginner [long sorry] eamonn doyle (Apr 14)
- Re: rule help for a beginner [long sorry] Alejandro Flores (Apr 14)