Re: Snort rule for and serives that run on non-standard port

["Al Lewis (allewi)" <allewi () cisco com>]

Hello,

Sounds like you need to use the service command:

"
2.7.5.1 Attribute Table Affect on rules

Snort uses service information in two ways; initialization of detection engine and as a detection criteria. To take 
advantage of this, Snort rules must contain the metadata: service SERVICE convention specified. During rule evaluation 
the default behavior will check first that the packet has been matched to a service, and then check that the packet's 
service matches the service(s) specified in the rule; if both these checks passed then Snort will disable source and 
destination port checks for the rule.

"


http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node22.html#targetbased




Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: amir zargaran <zargaran.amir () gmail com<mailto:zargaran.amir () gmail com>>
Date: Wednesday, August 17, 2016 at 4:01 AM
To: "snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>" <snort-sigs () lists sourceforge 
net<mailto:snort-sigs () lists sourceforge net>>
Subject: [Snort-sigs] Snort rule for and serives that run on non-standard port

dear all

please help me how to create a rule for a services that run on non-standard and non-popular port.
for example i want to create a rule for RDP terminal service that run on non-public (3389) port.
BR
amir

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!