Snort mailing list archives
Re: Rule help
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Tue, 23 Dec 2008 13:29:55 -0700
Is this in the docs anywhere? I've got the rule writing section in front of me and didn't see that in the protocol section. That would have been nice to know up front. :) -----Original Message----- From: Jack Pepper [mailto:pepperjack () afferentsecurity com] Sent: December 23, 2008 12:22 PM To: Jefferson, Shawn Cc: Snort-users () lists sourceforge net Subject: Re: [Snort-users] Rule help Quoting "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>:
My original rule worked out great, but I tried to create another rule that alerts me on anything that went from the $HOME_NET to $EXTERNAL_NET port 11830, and I obviously did something wrong, since I got about 3 million alerts in 5 minutes... pretty much all traffic going to the IDS sensor (which takes forever to delete via BASE!) Here's what tried: alert ip $HOME_NET any -> $EXTERNAL_NET 11830 (msg:"port 11830 traffic outbound"; sid:1000002; rev:1;)
Change the "ip" to tcp. IP protocol ignores the src and dest port numbers. So yes, this rule is catching *any* outbound traffic. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule help Jefferson, Shawn (Dec 19)
- Re: Rule help Markus Lude (Dec 19)
- Re: Rule help Matt Olney (Dec 19)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Joel Esler (Dec 23)
- Re: Rule help Jack Pepper (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Jack Pepper (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Joel Esler (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Markus Lude (Dec 19)