Snort mailing list archives
RE: Variables and Negation
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 17 Mar 2003 14:22:57 -0600
Most web rules are written like this (copied from web-misc.rules): alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise DOS"; content:"REVLOG / "; offset:0; depth:9; flow:to_server,established; reference:cve,CAN-2001-0251; reference:bugtraq,2294; classtype:web-application-attack; sid:1047; rev:6;) This means that the originating host *must* be from $EXTERNAL_NET. This *excludes* traffic from $HOME_NET *to* a web host. If I understand what you're trying to do, you're trying to catch traffic to port 80 on $HOME_NET hosts that are *not* webservers, right? If so, the modification I offered should work. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ -----Original Message----- From: Jason Luke [mailto:jluke () truarx com] Sent: Monday, March 17, 2003 2:16 PM To: Schmehl, Paul L; snort-users () lists sourceforge net Subject: RE: [Snort-users] Variables and Negation I don't think $HTTP_SERVERS [!192.168.2.2/32] would help me because it would catch unwanted traffic destined for hosts on the Internet. (e.g. if somebody was accessing some website on the Internet with /intranet it would trigger when I don't care.) Some people use the proxy and some do not. So I see traffic to random external IP's, and internal IP's, including my proxy. I want the rule to only show me traffic destined to servers on my network, except for the proxy. ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Variables and Negation Jason Luke (Mar 17)
- Re: Variables and Negation Matt Kettler (Mar 17)
- <Possible follow-ups>
- RE: Variables and Negation Jason Luke (Mar 17)
- RE: Variables and Negation Erek Adams (Mar 17)
- RE: Variables and Negation Schmehl, Paul L (Mar 17)
- RE: Variables and Negation Schmehl, Paul L (Mar 17)
- RE: Variables and Negation Jason Luke (Mar 17)
- RE: Variables and Negation L. Christopher Luther (Mar 17)