Snort mailing list archives

Re: Using a var in the conf and local rules

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 25 Feb 2013 14:54:25 -0500

On 2/25/2013 12:51, honeybadger () q com wrote:

Hey all,

I am adding scanners for 600+ suspect IPs in a text file.

Ok adding in include snort.var

Adding var IP_RULES

Then tcp any any - > $IP_RULES any (msg:"suspect IP detected; sid 4525;)

I would like if the alert would tell me which IP it found.


the alert report does tell that... at least for those that i've seen...

Usually I would use a content but this is different.


not really...

Any know how to set this up?


there's nothing to set up AFAIK... what are you using to detect the alerts??

here's a sample alert from the snort alert log so you can see what i'm saying 
about the IP being in there...

[**] [1:2500034:2789] ET COMPROMISED Known Compromised or Hostile Host Traffic 
TCP (18) [**]
[Classification: Misc Attack] [Priority: 2]
02/24-04:39:29.114306 < l/l len: 0 l/l type: 0x200 EC:B7:3E:F:0:0
pkt type:0x0 proto: 0x800 len:0x40
183.60.20.35:46258 -> XXX.XXX.XXX.XXX:80 TCP TTL:109 TOS:0x0 ID:9921 IpLen:20 
DgmLen:48
******S* Seq: 0x78ABED36  Ack: 0x2F38F17D  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1412 NOP NOP SackOK
[Xref => http://doc.emergingthreats.net/bin/view/Main/CompromisedHosts]

in this case, 183.60.20.35 is listed in the rule's IP list... i've redacted the 
target server's IP...

the point being that everything you need to know is there except the actual 
packet that caused the alert... that would be found else where in another "log 
file"... note that this may not be accurate with unified logging... we use only 
snort's default logging that is done when no output methods are defined...

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Using a var in the conf and local rules honeybadger (Feb 25)
- Re: Using a var in the conf and local rules waldo kitty (Feb 25)
- Re: Using a var in the conf and local rules Lay, James (Feb 25)
  - Message not available
    - Re: Using a var in the conf and local rules Lay, James (Feb 25)
    - Re: Using a var in the conf and local rules Stephen Mintz (Feb 25)
    - Re: Using a var in the conf and local rules JJ Cummings (Feb 25)
    - Re: Using a var in the conf and local rules Joel Esler (Feb 25)
  - Re: Using a var in the conf and local rules Joel Esler (Feb 25)