Snort mailing list archives
RE: rule problem
From: "Dell, Jeffrey" <JDell () seisint com>
Date: Fri, 8 Jun 2001 07:52:02 -0400
opps.. maybe I should double check my wording before I send it the next time. I had an extra octet.. hehe it should be.... To get all addresses from 192.154.1.0-192.154.1.255 the format should be like this var HOME_NET [192.154.1.0/24] -----Original Message----- From: Dell, Jeffrey [mailto:JDell () seisint com] Sent: Friday, June 08, 2001 7:30 AM To: 'alim () dataserve aim edu ph'; snort-users () lists sourceforge net Subject: RE: [Snort-users] rule problem Make sure that the values are set properly for $EXTERNAL_NET and $HOME_NET. I have found that is typically when I get this message. to get all addresses from 192.168.154.1.0-192.168.154.255 the format should be like this var HOME_NET [192.154.1.0/24] Jeff -----Original Message----- From: alim () dataserve aim edu ph [mailto:alim () dataserve aim edu ph] Sent: Friday, June 08, 2001 3:06 AM To: snort-users () lists sourceforge net Subject: [Snort-users] rule problem Hi, I have several questions to ask. Please bear with me coz I'm a new user of snort. I know that this is a powerful tool but i dont know yet how to manipulate it. When I'm running snort I'm getting this error message Port value missing in rule. Supposed that I want to run it with scan rule alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN Proxy attempt";flags:S;) alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy attempt";flags:S;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"INFO - Possible Squid Scan"; flags:S;) alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg: "SCAN - portmap listing 32771"; flags: A+; rpc: 100000,*,*; reference:arachnids,429;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - wayboard request - allows reading of arbitrary files as http service"; content:"way-board"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - palscgi request - allows reading of arbitrary files as http service"; content:"pals-cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - commerce request - allows reading of arbitrary files as http service"; content:"commerce.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - sendtemp request - allows reading of arbitrary files as http service"; content:"sendtemp.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - webspirs request - allows reading of arbitrary files as http service"; content:"webspirs.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - tstisapi request - allows arbitrary commands as http service"; content:"tstisapi.dll"; nocase;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SCAN - Named probe authors"; content: "|07|authors|04|bind"; depth: 26; offset: 12; nocase; reference:arachnids,480;) alert tcp $HOME_NET 31337 -> $EXTERNAL_NET 80 (msg:"SCAN synscan microsoft"; id: 39426; flags: SF;reference:arachnids,459;) alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"SCAN trojan hack-a-tack probe"; content: "A"; depth: 1; reference:arachnids,314; flags:A+;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flags: FPA; content:"/00 00 00 60 00 00 00 00 00 00 00 00 01 00 00 00/";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; id: 39426; flags: SF;reference:arachnids,441;) alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; ttl:
220; ack: 0; flags: S;reference:arachnids,439;)
alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout"; content: "|8007 0000 0700 0004 0000 0000 00|";reference:arachnids,408;) alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb"; content:"cybercop"; reference:arachnids,363;) alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP cybercop scan ehlo";flags: A+; content:"ehlo cybercop|0a|quit|0a|"; reference:arachnids,372;) alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP cybercop scan expn";flags: A+; content:"expn cybercop"; reference:arachnids,371;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner UDP Probe"; content: "|0A 68 65 6C 70 0A 71 75 69 74 0A|";reference:arachnids,308;) alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version"; flags: A+; content: "VERSION|0A|"; depth: 16;reference:arachnids,303;) alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version"; content:"Amanda"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os probe"; content: "AAAAAAAAAAAAAAAA"; flags: SFU12; ack: 0; depth: 16; reference:arachnids,150;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flags: SF12; dsize: 0; reference:arachnids,146;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os probe"; content: "AAAAAAAAAAAAAAAA"; flags: PA12; depth: 16; reference:arachnids,149;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN";flags:SF; reference:arachnids,198;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt";flags:SFPU; reference:arachnids,05;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL";flags:0; seq:0; ack:0; reference:arachnids,4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS";flags:SRAFPU; reference:arachnids,144;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP";flags:A;ack:0; reference:arachnids,28;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags: F; reference:arachnids,27;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN IP Eye SYN Scan"; flags: S; seq: 1958810375; reference:arachnids,236;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Synscan Portscan ID 19104"; id: 19104; flags: S; reference: arachnids,521;) What value should I put to replace EXTERANAL_NET , HOME_NET and SMTP? Can I put a value that can scan all the ports? e.g 192.154.1.0 will scan 192.154.1.0-192.154.1.255. Or what value should I put to replace EXTERNAL_NET to scan all the possible attacks or the likes. Hope to hear from you guys! - arthus - This transmission may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rule problem alim (Jun 08)
- <Possible follow-ups>
- RE: rule problem Dell, Jeffrey (Jun 08)
- RE: rule problem Dell, Jeffrey (Jun 08)