RE: v1.7 on NT4 - Can't get my own RULES working?? help.

[Bryce Stenberg <bryce () hrnz co nz>]

Hi,

Since I don't currently have the time to do another upgrade and 1.7 was a
stable working version on NT4 - can anyone please comment on how to run only
your 'local.rules' with only preprocessors of 'defrag' and 'http_decode' -
ie. apart from commenting out all the snort.conf 'includes' and other
preprocessors what am I missing such that even an 'any <> any' style rule
doesn't work?

I'm assuming there is nothing wrong with my rules that I defined? (see
previous message below) - if there is something obviously wrong there can
you please let me know.

Thanks for your help - sorry if you have to dredge your memories now for 1.7
version way of doing things (although I would have hoped that 1.8 worked in
the same fashion).

Regards,
  Bryce Stenberg.
     Harness Racing New Zealand computer department,
     emailto:bryce () hrnz co nz

> -----Original Message-----
> From: Wayne Work [mailto:wwork () cybergnostic com]
> Sent: Tuesday, 19 February 2002 12:34 p.m.
> To: Bryce Stenberg; snort-users () lists sourceforge net
> Subject: RE: [Snort-users] v1.7 on NT4 - Can't get my own RULES
> working?? help.
>
>
> First of all,
>
> If you are using 1.7 please upgrade NOW. Things will be much brighter
>
>  -----Original Message-----
> From:         snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]  On Behalf Of Bryce
> Stenberg
> Sent: Monday, February 18, 2002 5:53 PM
> To:   'snort-users () lists sourceforge net'
> Subject:      [Snort-users] v1.7 on NT4 - Can't get my own 
> RULES working?? help.
>
> Hi,
>
> I'm new to snort and first time user on this list - so 
> firstly, I've looked
> in the archives but could find no way to do a key word search. Is this
> possible?    Anyway, sorry if repeating something often asked...
>
> PROBLEM:
> I've had snort running for a number of months ok with just 
> the default rules
> set.  However, there is so much activity from attack attempts 
> that I decided
> to not use all the rules and look instead for strings 
> matching information
> on our servers that should not be passing out over the internet (like
> certain directory names, etc). This way I'll only get alerted 
> to actual
> successful penetrations/compromise of the network, at least I hope so.
>
> So, I created a couple of rules of:
>
> alert tcp any any <> $HOME_NET any (msg:"Outgoing directory 
> listing via
> tcp"; content: "enticing_directory_name"; nocase; flags: PA; 
> priority:10;)
>
> alert udp any any <> $HOME_NET any (msg:"Outgoing directory 
> listing via
> udp"; content: "enticing_directory_name"; nocase;  flags: PA; 
> priority:10;)
> .
>
> I altered 'snort.conf' to NOT run any of the includes at end 
> of file. Also
> stopped all preprocessors except 'defrag' and 'http_decode'.
>
> I initially placed my rules in 'local.rules' file but that 
> had no effect -
> do I have to 'include' a certain lib file (at end of 
> 'snort.conf') to be
> able to use 'local.rules' file?
>
> Anyway, I next added my rules to the end of 'backdoor.rules' file and
> uncommented the 'include backdoor-lib' since I expect that 
> makes use of
> backdoor.rules.
>
> I then tested again (by ftp'ing directory listings and text 
> files containing
> the content string from the server running snort so the 
> packets had to be
> seen by snort).  Still no alert outputs?
>
> So can anyone offer me advice on how to get it working please?
> I hope the above enough information but if more needed just ask.
> If its a problem with my actual rules, I have also tried various
> combinations in the header like:
> alert tcp any any <> any any (
> alert tcp any any -> $HOME_NET any (
> alert tcp any any <- $HOME_NET any (
>   etc....
>
> Regards,
>   Bryce Stenberg.
>      Harness Racing New Zealand computer department,
>      emailto:bryce () hrnz co nz
>
>
> CAUTION: This email message and accompanying data may contain 
> information
> that is confidential and subject to legal privilege. If you 
> are not the
> intended recipient you are notified that any use, dissemination,
> distribution or copying of this message or data is 
> prohibited. If you have
> received this email message in error please notify us 
> immediately and erase
> all copies of the message and attachments.
>  ALSO, unless expressly stated otherwise, the contents of this message
> represent only the views of the sender as expressed only to 
> the intended
> recipient, do not commit Harness Racing New Zealand (HRNZ) to 
> any course of
> action and are not intended to impose any legal obligation upon HRNZ.
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


CAUTION: This email message and accompanying data may contain information
that is confidential and subject to legal privilege. If you are not the
intended recipient you are notified that any use, dissemination,
distribution or copying of this message or data is prohibited. If you have
received this email message in error please notify us immediately and erase
all copies of the message and attachments.
 ALSO, unless expressly stated otherwise, the contents of this message
represent only the views of the sender as expressed only to the intended
recipient, do not commit Harness Racing New Zealand (HRNZ) to any course of
action and are not intended to impose any legal obligation upon HRNZ.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users