Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Alerting for traffic in internal network

From: Tyler MacPherson <tah338 () sr unh edu>
Date: Wed, 19 Dec 2012 11:02:48 -0500
Hi,

Currently, I'm trying to write some Snort rules for my company. I feel 
that these rules should be fairly simple, but I'm running into some 
issues with getting them to work properly, and I was wondering if I 
could get some assistance, as I am new to Snort and IDS's in general. 
Basically, we have a firewall, which to get to, you would need to go 
through 2 other systems first. Behind that firewall we have an internal 
network. What I need to do are write rules that 1) Alert any time a 
system on that inner network makes an outbound connection, 2) Alert any 
time there is traffic destined for the network behind the firewall, that 
is not SQL Server traffic, and 3) Alert when there is traffic between 
systems on the inner network that is not SQL (ssh, rdesktop, etc).

Here are the rules I currently have in place:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outbound connection 
from inner network"; sid: 1000009; priority:1;threshold:type threshold, 
track by_dst, count 7, seconds 60;)

alert tcp $EXTERNAL_NET !1433 -> $HOME_NET !1433 (msg:"Incoming traffic 
that is not SQL Server"; sid: 1000010; priority:1;threshold:type 
threshold, track by_src, count 7, seconds 60;)

alert tcp $HOME_NET !1433 <> $HOME_NET !1433 (msg:"Incoming traffic 
between machines on internal network that is not SQL Server";sid: 
1000011; priority:1;)

The first two seem to work OK, my question on those is whether there is 
a way for them to be more robust, or written in a better way? The third 
one however, does not seem to work at all, and I'm not exactly sure why 
that is. So, there's my problem(s). Any help would be greatly appreciated.

Also, I should mention that my $HOME_NET variable is defined as 
10.10.1.0/20 and $EXTERNAL_NET is set as !$HOME_NET.

Thanks in advance.

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: