Snort mailing list archives
Re: Question on port lists and negation
From: John Curry <john.curry () metre net>
Date: Mon, 08 Oct 2007 20:13:34 -0500
Hello Richard, I believe something like the following should work, without the use of 'flow' in the rule. alert tcp any !PORTS -> any !PORTS The rule needs apply to packets going to and coming from the ports in the PORTS list. I have not found the "->" token to do anything to enforce direction since at least 2.4.3. I've had to rely on the 'flow' option to enforce a packet direction for TCP sessions. I would use something like this: alert tcp any any -> any !PORTS ( flow:to_server,established; ... )
From the best of my knowledge using option 'flow:to_server, established;' does two things 1. prevents your alert from triggering until a flow is "established" and 2. prevents alerting on return packets related to the established flow.
-John Richard Bejtlich wrote:
On 10/8/07, Matthew Watchinski <mwatchinski () sourcefire com> wrote:Richard Bejtlich wrote:Say I create this snort.conf: portvar MY_HTTP_PORTS [80,81,82,83,88,8000,8008,8080] alert tcp any any -> any !$MY_HTTP_PORTS (msg:"Example Not"; sid:4;)It alerts because 192.168.2.105:50970 -> 192.168.2.103:8000 is no different than 192.168.2.103:8000 -> 192.168.2.105:50970 cause you are running with any any -> any !PORTS any any matches both 192.168.2.105:50970 -> 192.168.2.103:8000 and 192.168.2.103:8000 -> 192.168.2.105:50970Hi Matt, Thanks for your comments. I don't understand why these packets are "no different". The MY_HTTP_PORTS variable includes 8000. If I negate MY_HTTP_PORTS in my rule, why do I get an alert on 192.168.2.105:50970 -> 192.168.2.103:8000? Is it because port 8000 in the packet is not other ports in the variable, like 80, 81, etc.?Let's try another angle in a new snort.conf. portvar NOT_MY_HTTP_PORTS [!80,!81,!82,!83,!88,!8000,!8008,!8080] alert tcp any any -> any $NOT_MY_HTTP_PORTS (msg:"Example Not"; sid:5;) This time, Snort reports only one alert. 10/08-17:00:07.050091 [**] [1:5:0] Example Not [**] [Priority: 0] {TCP} 192.168.2.103:8000 -> 192.168.2.105:53298This I can't reproduce my test alerts on the same packets as the first rule. Updating it with flow:to_server,established makes it behave as desired.This doesn't make sense either. I'm running snort -V ,,_ -*> Snort! <*- o" )~ Version 2.8.0 IPv6 (Build 67) FreeBSD '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using PCRE version: 6.6 06-Feb-2006 Before I ask any other questions, are you running the equivalent? By the way, does your mention of adding "flow" mean the direction identifier -> is actually just a placeholder, and not doing anything these days? Thank you, Richard ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Question on port lists and negation, (continued)
- Re: Question on port lists and negation Matt Kettler (Oct 08)
- Re: Question on port lists and negation Scott Dexter (Oct 08)
- Re: Question on port lists and negation Jeffrey Denton (Oct 08)
- Re: Question on port lists and negation Matthew Watchinski (Oct 08)
- Re: Question on port lists and negation Richard Bejtlich (Oct 08)
- Re: Question on port lists and negation Jason (Oct 08)
- Re: Question on port lists and negation Matt Kettler (Oct 09)
- Re: Question on port lists and negation Jason (Oct 09)
- Re: Question on port lists and negation Matt Kettler (Oct 09)
- Re: Question on port lists and negation Jason (Oct 09)
- Re: Question on port lists and negation Richard Bejtlich (Oct 08)
- Re: Question on port lists and negation Matt Kettler (Oct 08)
- Re: Question on port lists and negation John Curry (Oct 08)
- Re: Question on port lists and negation Richard Bejtlich (Oct 09)