Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Custom Snort Rule Problem

From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 29 Nov 2012 03:13:05 +0000
Ok.. interesting idea. I didn't know it would make that much of a
difference. I honestly assumed that by not matching traffic and only
matching port/up it would be faster then search for specific data inside
packets too.

Thanks..
On Nov 28, 2012 6:30 PM, "JJC" <cummingsj () gmail com> wrote:


Exactly, DNS packets have specific structure ( fields etc ) that you can
write to.

Sent from my iPad

On Nov 28, 2012, at 19:25, Joel Esler <jesler () sourcefire com> wrote:

Write content matches for the Dns traffic itself.

--
*Joel Esler*
Sent from my iPhone 

On Nov 28, 2012, at 6:29 PM, Jeremy Hoel <jthoel () gmail com> wrote:

I'm not sure how you could write that with content matchs for unknown
things.  IE:  we have a /16 and some VPN nets.. and so while we don't
expect this rule to fire often, it still does.

I could put HOME_NET in first, but that would include the DNS servers
I do'nt care about.. so then maybe define HOME_NOT_DNS and then
rewrite the rule as

alert tcp HOME_NOT_DNS any -> !$DNS_SERVERS 53 (msg:"DNS traffic not
to-from DNS server"; classtype: misc-activity;sid:1000080;)

Like that?



On Wed, Nov 28, 2012 at 11:12 PM, JJC <cummingsj () gmail com> wrote:

You really want some content matches in there, dramatic performance
increase.


Sent from my iPad


On Nov 28, 2012, at 16:26, Jeremy Hoel <jthoel () gmail com> wrote:


We do a version of this on our network..


var DNS_SERVERS [8.8.8.8,8.8.4.4, <other trusted DNS servers on local
subnet>]


alert tcp !$DNS_SERVERS any -> !$DNS_SERVERS 53 (msg:"DNS traffic not

to-from DNS server"; classtype: misc-activity;sid:1000080;)

alert udp !$DNS_SERVERS any -> !$DNS_SERVERS 53 (msg:"DNS traffic not

to-from DNS server"; classtype: misc-activity;sid:1000081;)


so that anything that we see that's not to a DNS server we want, we

know about.. from inside out or other way around.


I don't know that you can do your IP declarations like that when you

are making the rule.



On Wed, Nov 28, 2012 at 9:48 PM, Ryan Martin <rmartin () internet2 edu>
wrote:

Hello everyone,


I've been working on some rules lately and can't figure out why the rule

below won't work.  It won't trigger on anything, even when I purposefully

put traffic out there that should trigger it.


I've read the snort manual sections for the structure of a rule and IP

Variables/IP Lists on how to exclude IP addresses from a block of IP's and

such.  I also dug up some other online resources.  I'm not sure what the

issue is, but if anyone out there could point me in the right direction on

figuring out what my issue is, I'd be greatly appreciative.


Rule:


alert udp [$HOME_NET,![$DNS_SERVERS]] any ->

[$EXTERNAL_NET,![8.8.8.8,8.8.4.4]] 53 (msg:"BLAH BLAH BLAH"; class

type:trojan-activity; sid:1000006; rev:1;)


It is the intent of the rule to trigger on all devices (but not the DNS

servers) using a DNS server that we did not approve.  Google's DNS servers

are in there because we use them on some of our other machines.  I'll worry

about the DNS TCP traffic rule once I get this one figured out.


Thanks for any help,


-Ryan



------------------------------------------------------------------------------

Keep yourself connected to Go Parallel:

INSIGHTS What's next for parallel hardware, programming and related areas?

Interviews and blogs by thought leaders keep you ahead of the curve.

http://goparallel.sourceforge.net

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users


Please visit http://blog.snort.org to stay current on all the latest Snort

news!



------------------------------------------------------------------------------

Keep yourself connected to Go Parallel:

INSIGHTS What's next for parallel hardware, programming and related areas?

Interviews and blogs by thought leaders keep you ahead of the curve.

http://goparallel.sourceforge.net

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users


Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
Keep yourself connected to Go Parallel:
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
VERIFY Test and improve your parallel project with help from experts 
and peers. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: