Snort mailing list archives
RE: v1.7 on NT4 - Can't get my own RULES working?? help.
From: Bryce Stenberg <bryce () hrnz co nz>
Date: Wed, 20 Feb 2002 09:58:50 +1300
Hi, Since I don't currently have the time to do another upgrade and 1.7 was a stable working version on NT4 - can anyone please comment on how to run only your 'local.rules' with only preprocessors of 'defrag' and 'http_decode' - ie. apart from commenting out all the snort.conf 'includes' and other preprocessors what am I missing such that even an 'any <> any' style rule doesn't work? I'm assuming there is nothing wrong with my rules that I defined? (see previous message below) - if there is something obviously wrong there can you please let me know. Thanks for your help - sorry if you have to dredge your memories now for 1.7 version way of doing things (although I would have hoped that 1.8 worked in the same fashion). Regards, Bryce Stenberg. Harness Racing New Zealand computer department, emailto:bryce () hrnz co nz
-----Original Message----- From: Wayne Work [mailto:wwork () cybergnostic com] Sent: Tuesday, 19 February 2002 12:34 p.m. To: Bryce Stenberg; snort-users () lists sourceforge net Subject: RE: [Snort-users] v1.7 on NT4 - Can't get my own RULES working?? help. First of all, If you are using 1.7 please upgrade NOW. Things will be much brighter -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Bryce Stenberg Sent: Monday, February 18, 2002 5:53 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] v1.7 on NT4 - Can't get my own RULES working?? help. Hi, I'm new to snort and first time user on this list - so firstly, I've looked in the archives but could find no way to do a key word search. Is this possible? Anyway, sorry if repeating something often asked... PROBLEM: I've had snort running for a number of months ok with just the default rules set. However, there is so much activity from attack attempts that I decided to not use all the rules and look instead for strings matching information on our servers that should not be passing out over the internet (like certain directory names, etc). This way I'll only get alerted to actual successful penetrations/compromise of the network, at least I hope so. So, I created a couple of rules of: alert tcp any any <> $HOME_NET any (msg:"Outgoing directory listing via tcp"; content: "enticing_directory_name"; nocase; flags: PA; priority:10;) alert udp any any <> $HOME_NET any (msg:"Outgoing directory listing via udp"; content: "enticing_directory_name"; nocase; flags: PA; priority:10;) . I altered 'snort.conf' to NOT run any of the includes at end of file. Also stopped all preprocessors except 'defrag' and 'http_decode'. I initially placed my rules in 'local.rules' file but that had no effect - do I have to 'include' a certain lib file (at end of 'snort.conf') to be able to use 'local.rules' file? Anyway, I next added my rules to the end of 'backdoor.rules' file and uncommented the 'include backdoor-lib' since I expect that makes use of backdoor.rules. I then tested again (by ftp'ing directory listings and text files containing the content string from the server running snort so the packets had to be seen by snort). Still no alert outputs? So can anyone offer me advice on how to get it working please? I hope the above enough information but if more needed just ask. If its a problem with my actual rules, I have also tried various combinations in the header like: alert tcp any any <> any any ( alert tcp any any -> $HOME_NET any ( alert tcp any any <- $HOME_NET any ( etc.... Regards, Bryce Stenberg. Harness Racing New Zealand computer department, emailto:bryce () hrnz co nz CAUTION: This email message and accompanying data may contain information that is confidential and subject to legal privilege. If you are not the intended recipient you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. ALSO, unless expressly stated otherwise, the contents of this message represent only the views of the sender as expressed only to the intended recipient, do not commit Harness Racing New Zealand (HRNZ) to any course of action and are not intended to impose any legal obligation upon HRNZ. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
CAUTION: This email message and accompanying data may contain information that is confidential and subject to legal privilege. If you are not the intended recipient you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. ALSO, unless expressly stated otherwise, the contents of this message represent only the views of the sender as expressed only to the intended recipient, do not commit Harness Racing New Zealand (HRNZ) to any course of action and are not intended to impose any legal obligation upon HRNZ. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: v1.7 on NT4 - Can't get my own RULES working?? help. Bryce Stenberg (Feb 19)