Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: rule problem

From: "Dell, Jeffrey" <JDell () seisint com>
Date: Fri, 8 Jun 2001 07:52:02 -0400
opps.. maybe I should double check my wording before I send it the next
time. I had an extra octet.. hehe 

it should be....

To get all addresses from 192.154.1.0-192.154.1.255 the format should
be like this

var HOME_NET [192.154.1.0/24]

-----Original Message-----
From: Dell, Jeffrey [mailto:JDell () seisint com]
Sent: Friday, June 08, 2001 7:30 AM
To: 'alim () dataserve aim edu ph'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] rule problem



Make sure that the values are set properly for $EXTERNAL_NET and $HOME_NET.
I have found that is typically when I get this message.

to get all addresses from 192.168.154.1.0-192.168.154.255 the format should
be like this

var HOME_NET [192.154.1.0/24]

Jeff

-----Original Message-----
From: alim () dataserve aim edu ph [mailto:alim () dataserve aim edu ph]
Sent: Friday, June 08, 2001 3:06 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] rule problem



Hi,

I have several questions to ask. Please bear with me coz I'm a new user of
snort.  I know that this is a powerful tool but i dont know yet how to
manipulate it.  When I'm running snort I'm getting this error message

Port value missing in rule.

Supposed that I want to run it with scan rule

alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN Proxy
attempt";flags:S;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy
attempt";flags:S;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"INFO - Possible Squid
Scan"; flags:S;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg: "SCAN - portmap
listing 32771"; flags: A+; rpc: 100000,*,*; reference:arachnids,429;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - wayboard request -
allows reading of arbitrary files as http service"; content:"way-board";
nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - palscgi request -
allows reading of arbitrary files as http service"; content:"pals-cgi";
nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - commerce request -
allows reading of arbitrary files as http service"; content:"commerce.cgi";
nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - sendtemp request -
allows reading of arbitrary files as http service"; content:"sendtemp.pl";
nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - webspirs request -
allows reading of arbitrary files as http service"; content:"webspirs.cgi";
nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - tstisapi request -
allows arbitrary commands as http service"; content:"tstisapi.dll";
nocase;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SCAN - Named probe
authors"; content: "|07|authors|04|bind"; depth: 26; offset: 12; nocase;
reference:arachnids,480;)
alert tcp $HOME_NET 31337 -> $EXTERNAL_NET 80 (msg:"SCAN synscan
microsoft"; id: 39426; flags: SF;reference:arachnids,459;)
alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"SCAN trojan
hack-a-tack probe"; content: "A"; depth: 1;  reference:arachnids,314;
flags:A+;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN
ssh-research-scanner"; flags: FPA; content:"/00 00 00 60 00 00 00 00 00 00
00 00 01 00 00 00/";)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan";
id: 39426; flags: SF;reference:arachnids,441;)
alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; ttl:

220; ack: 0; flags: S;reference:arachnids,439;)

alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout";
content: "|8007 0000 0700 0004 0000 0000 00|";reference:arachnids,408;)
alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb";
content:"cybercop"; reference:arachnids,363;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP cybercop scan
ehlo";flags: A+; content:"ehlo cybercop|0a|quit|0a|";
reference:arachnids,372;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP cybercop scan
expn";flags: A+; content:"expn cybercop"; reference:arachnids,371;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner
UDP Probe"; content: "|0A 68 65 6C 70 0A 71 75 69 74
0A|";reference:arachnids,308;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version";
flags: A+; content: "VERSION|0A|"; depth: 16;reference:arachnids,303;)
alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda
client version"; content:"Amanda"; nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os probe";
content: "AAAAAAAAAAAAAAAA"; flags: SFU12; ack: 0; depth: 16;
reference:arachnids,150;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe";
flags: SF12; dsize: 0; reference:arachnids,146;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os probe";
content: "AAAAAAAAAAAAAAAA"; flags: PA12; depth: 16;
reference:arachnids,149;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN";flags:SF;
reference:arachnids,198;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint
attempt";flags:SFPU; reference:arachnids,05;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL";flags:0;
seq:0; ack:0; reference:arachnids,4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS";flags:SRAFPU;
reference:arachnids,144;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap
TCP";flags:A;ack:0; reference:arachnids,28;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags: F;
reference:arachnids,27;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN IP Eye SYN Scan";
flags: S; seq: 1958810375; reference:arachnids,236;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Synscan Portscan ID
19104"; id: 19104; flags: S; reference: arachnids,521;)


What value should I put to replace EXTERANAL_NET , HOME_NET and SMTP?

Can I put a value that can scan all the ports? e.g 192.154.1.0 will scan
192.154.1.0-192.154.1.255.
Or what value should I put to replace EXTERNAL_NET to scan all the possible
attacks or the likes.

Hope to hear from you guys!


- arthus

-



This transmission may contain information that is privileged, confidential
and exempt from disclosure under applicable law.
If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained
herein (including any reliance thereon) is STRICTLY PROHIBITED.
If you received this transmission in error, please immediately contact the
sender and destroy the material in its entirety, whether in electronic or
hard copy format.
Thank you



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: