Snort mailing list archives
Re: Questions after 1.9.1 install
From: John Sage <jsage () finchhaven com>
Date: Sat, 15 Mar 2003 10:07:32 -0800
On Sat, Mar 15, 2003 at 01:25:44AM -0500, Alberto Gonzalez wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Hello all. Long time no post..{ yawn... } Helloalert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"TCP inbound to 445 \ Win2k SMB";)Hrm... lets take a look at this (cervello is internal @ 192.168.1.4) (root@cervello)(~) cat /etc/snort/rules/local.rules alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "TCP inbound to \ 445 Win2k SMB"; ) Then from my gateway (root@cerebro)(~) telnet 192.168.1.4 445 Trying 192.168.1.4... telnet: connect to address 192.168.1.4: Connection refused (root@cerebro)(~) I go back to cervello (root@cervello)(~) tail -f /var/log/snort/alert [**] [1:0:0] TCP inbound to 445 Win2k SMB [**] [Priority: 0] 03/15-01:24:28.795690 192.168.1.1:44904 -> 192.168.1.4:445 TCP TTL:51 TOS:0x0 ID:12719 IpLen:20 DgmLen:40 ******S* Seq: 0x7DE72FFE Ack: 0x0 Win: 0x1000 TcpLen: 20 It worked here, verified it on linux and openbsd.
But was that the *only* rule in your local.rules? It's not so much that the rule doesn't work, it's that it doesn't fire while a more generic rules does, even when the specific rule is *before* the generic one (to address Erek's question..) thus: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "TCP inbound to 445 Win2k SMB"; ) comes before the generic: alert tcp $EXTERNAL_NET 1025:4320 -> $HOME_NET any (msg:"TCP inbound \ from range 1025-4320";) Does -o also re-order rules within the class "alert" in addition to re-ordeging the general classes? I hadn't thought so.. - John -- "You must define an operating system environment, or the configuration file build will puke." PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Questions after 1.9.1 install John Sage (Mar 14)
- Re: Questions after 1.9.1 install Alberto Gonzalez (Mar 14)
- Re: Questions after 1.9.1 install John Sage (Mar 15)
- Re: Questions after 1.9.1 install Alberto Gonzalez (Mar 15)
- Re: Questions after 1.9.1 install John Sage (Mar 15)
- Re: Questions after 1.9.1 install Erek Adams (Mar 15)
- Re: Questions after 1.9.1 install John Sage (Mar 15)
- Re: Questions after 1.9.1 install Erek Adams (Mar 15)
- Re: Questions after 1.9.1 install John Sage (Mar 15)
- Re: Questions after 1.9.1 install Chris Green (Mar 21)
- Re: Questions after 1.9.1 install Alberto Gonzalez (Mar 14)