Snort mailing list archives
Re: Alert file
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 21 Mar 2013 14:01:18 -0500
On 3/20/2013 15:24, Mohammad MontazerI wrote:
Yes. i just want something to cause an alert. but question is: How?
i just posted the following on 12 Mar 2013 in this very list... [quote] what some blogs and helpers recommend is to create a local.rules file and then create a rule in there that will alert on everything... make sure that local.rules is included in your snort.conf and that it is with your other rules files with the proper permissions... then restart snort... the "catch everything" rules would be something like these... alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; sid:1; rev:1;) alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; sid:2; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; sid:3; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; sid:4; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; sid:5; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; sid:6; rev:1;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; sid:7; rev:1;) alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; sid:8; rev:1;) "any" used to be allowed as a protocol but when i tested it just now with snort 2.9.3.1, it didn't like it at all... you'll want to disable these as soon as possible and restart snort ;) [/quote] and this followup to another person on the same day... [quote] i just posted some extremely simple ones that catch everything... however, they make a decent starting point, too... for example: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; sid:1; rev:1;) we'll change this to catch /any/ mention of ".exe" in /tcp/ traffic... alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:".exe mentioned in tcp traffic inbound"; content;".exe"; sid:x; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:".exe mentioned in tcp traffic outbound"; content;".exe"; sid:x; rev:1;) there's two... one for inbound and one for outbound... 1. we changed the protocol from "icmp" to "tcp". 2. we adjusted the msg text that is used. 3. we added a content field to look for. 4. only ".exe" is looked for... ".EXE" or ".Exe" or ".eXe" or such will not trigger. 5. you have to set the SID number to a unique number for your rules sets... the revision should be incremented each time you make a (major?) change in the rule. now, the above does not look for an actual executable file... it only looks for the four characters .exe all together... looking for actual binaries is a little bit tougher to do but the concept is still the same... you look for content... there are various buffers you can look in... you can go case insensitive... you can refine for specific examples via pcre... [/quote]
> i dont know what is that! > i just downloaded roules from here: http://www.snort.org/snort-rules > and installed it on my opensuse. > is that enough? > http://www.snort.org/snort-rules so then you currently do not use a rules manager... it isn't needed at this point anyway... all you want to do it cause an alert, right?
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Alert file Mohammad MontazerI (Mar 19)
- Re: Alert file Ricky Huang (Mar 20)
- Re: Alert file Mohammad MontazerI (Mar 20)
- Re: Alert file waldo kitty (Mar 20)
- Re: Alert file Mohammad MontazerI (Mar 20)
- Re: Alert file waldo kitty (Mar 21)
- Re: Alert file Mohammad MontazerI (Mar 20)
- Re: Alert file Ricky Huang (Mar 20)
- Message not available
- Re: Alert file Mohammad MontazerI (Mar 20)