Snort mailing list archives
Re: Rule help
From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Tue, 23 Dec 2008 14:21:57 -0600
Quoting "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>:
My original rule worked out great, but I tried to create another rule that alerts me on anything that went from the $HOME_NET to $EXTERNAL_NET port 11830, and I obviously did something wrong, since I got about 3 million alerts in 5 minutes... pretty much all traffic going to the IDS sensor (which takes forever to delete via BASE!) Here's what tried: alert ip $HOME_NET any -> $EXTERNAL_NET 11830 (msg:"port 11830 traffic outbound"; sid:1000002; rev:1;)
Change the "ip" to tcp. IP protocol ignores the src and dest port numbers. So yes, this rule is catching *any* outbound traffic. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule help Jefferson, Shawn (Dec 19)
- Re: Rule help Markus Lude (Dec 19)
- Re: Rule help Matt Olney (Dec 19)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Joel Esler (Dec 23)
- Re: Rule help Jack Pepper (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Jack Pepper (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Joel Esler (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Markus Lude (Dec 19)