Snort mailing list archives
rule problem
From: alim () dataserve aim edu ph
Date: Fri, 8 Jun 2001 15:06:24 +0800
Hi, I have several questions to ask. Please bear with me coz I'm a new user of snort. I know that this is a powerful tool but i dont know yet how to manipulate it. When I'm running snort I'm getting this error message Port value missing in rule. Supposed that I want to run it with scan rule alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN Proxy attempt";flags:S;) alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy attempt";flags:S;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"INFO - Possible Squid Scan"; flags:S;) alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg: "SCAN - portmap listing 32771"; flags: A+; rpc: 100000,*,*; reference:arachnids,429;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - wayboard request - allows reading of arbitrary files as http service"; content:"way-board"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - palscgi request - allows reading of arbitrary files as http service"; content:"pals-cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - commerce request - allows reading of arbitrary files as http service"; content:"commerce.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - sendtemp request - allows reading of arbitrary files as http service"; content:"sendtemp.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - webspirs request - allows reading of arbitrary files as http service"; content:"webspirs.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - tstisapi request - allows arbitrary commands as http service"; content:"tstisapi.dll"; nocase;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SCAN - Named probe authors"; content: "|07|authors|04|bind"; depth: 26; offset: 12; nocase; reference:arachnids,480;) alert tcp $HOME_NET 31337 -> $EXTERNAL_NET 80 (msg:"SCAN synscan microsoft"; id: 39426; flags: SF;reference:arachnids,459;) alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"SCAN trojan hack-a-tack probe"; content: "A"; depth: 1; reference:arachnids,314; flags:A+;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flags: FPA; content:"/00 00 00 60 00 00 00 00 00 00 00 00 01 00 00 00/";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; id: 39426; flags: SF;reference:arachnids,441;) alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; ttl:
220; ack: 0; flags: S;reference:arachnids,439;)
alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout"; content: "|8007 0000 0700 0004 0000 0000 00|";reference:arachnids,408;) alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb"; content:"cybercop"; reference:arachnids,363;) alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP cybercop scan ehlo";flags: A+; content:"ehlo cybercop|0a|quit|0a|"; reference:arachnids,372;) alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP cybercop scan expn";flags: A+; content:"expn cybercop"; reference:arachnids,371;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner UDP Probe"; content: "|0A 68 65 6C 70 0A 71 75 69 74 0A|";reference:arachnids,308;) alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version"; flags: A+; content: "VERSION|0A|"; depth: 16;reference:arachnids,303;) alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version"; content:"Amanda"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os probe"; content: "AAAAAAAAAAAAAAAA"; flags: SFU12; ack: 0; depth: 16; reference:arachnids,150;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flags: SF12; dsize: 0; reference:arachnids,146;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os probe"; content: "AAAAAAAAAAAAAAAA"; flags: PA12; depth: 16; reference:arachnids,149;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN";flags:SF; reference:arachnids,198;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt";flags:SFPU; reference:arachnids,05;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL";flags:0; seq:0; ack:0; reference:arachnids,4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS";flags:SRAFPU; reference:arachnids,144;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP";flags:A;ack:0; reference:arachnids,28;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags: F; reference:arachnids,27;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN IP Eye SYN Scan"; flags: S; seq: 1958810375; reference:arachnids,236;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Synscan Portscan ID 19104"; id: 19104; flags: S; reference: arachnids,521;) What value should I put to replace EXTERANAL_NET , HOME_NET and SMTP? Can I put a value that can scan all the ports? e.g 192.154.1.0 will scan 192.154.1.0-192.154.1.255. Or what value should I put to replace EXTERNAL_NET to scan all the possible attacks or the likes. Hope to hear from you guys! - arthus - _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rule problem alim (Jun 08)
- <Possible follow-ups>
- RE: rule problem Dell, Jeffrey (Jun 08)
- RE: rule problem Dell, Jeffrey (Jun 08)