Snort mailing list archives
Alerting for traffic in internal network
From: Tyler MacPherson <tah338 () sr unh edu>
Date: Wed, 19 Dec 2012 11:02:48 -0500
Hi, Currently, I'm trying to write some Snort rules for my company. I feel that these rules should be fairly simple, but I'm running into some issues with getting them to work properly, and I was wondering if I could get some assistance, as I am new to Snort and IDS's in general. Basically, we have a firewall, which to get to, you would need to go through 2 other systems first. Behind that firewall we have an internal network. What I need to do are write rules that 1) Alert any time a system on that inner network makes an outbound connection, 2) Alert any time there is traffic destined for the network behind the firewall, that is not SQL Server traffic, and 3) Alert when there is traffic between systems on the inner network that is not SQL (ssh, rdesktop, etc). Here are the rules I currently have in place: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outbound connection from inner network"; sid: 1000009; priority:1;threshold:type threshold, track by_dst, count 7, seconds 60;) alert tcp $EXTERNAL_NET !1433 -> $HOME_NET !1433 (msg:"Incoming traffic that is not SQL Server"; sid: 1000010; priority:1;threshold:type threshold, track by_src, count 7, seconds 60;) alert tcp $HOME_NET !1433 <> $HOME_NET !1433 (msg:"Incoming traffic between machines on internal network that is not SQL Server";sid: 1000011; priority:1;) The first two seem to work OK, my question on those is whether there is a way for them to be more robust, or written in a better way? The third one however, does not seem to work at all, and I'm not exactly sure why that is. So, there's my problem(s). Any help would be greatly appreciated. Also, I should mention that my $HOME_NET variable is defined as 10.10.1.0/20 and $EXTERNAL_NET is set as !$HOME_NET. Thanks in advance. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Alerting for traffic in internal network Tyler MacPherson (Dec 19)