Snort mailing list archives
Re: configuring rules
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 2 Sep 2014 16:53:24 +0000
Yes. http://manual.snort.org/node53.html -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Sep 2, 2014, at 12:50 PM, Sharif Uddin <Sharif.Uddin () spectrumasa com<mailto:Sharif.Uddin () spectrumasa com>> wrote: Is it possible to have multiple ip addresses instead of just networks in ipvar HOME_NET From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: 02 September 2014 17:17 To: Sharif Uddin Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] configuring rules Dear Sharif, Thanks for your email. I believe you will find what you are looking for here:http://manual.snort.org/node31.html#SECTION00446000000000000000 -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Sep 2, 2014, at 12:05 PM, Sharif Uddin <Sharif.Uddin () spectrumasa com<mailto:Sharif.Uddin () spectrumasa com>> wrote: How would I add classification, severity on custom alerts? From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: 02 September 2014 16:49 To: Sharif Uddin Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] configuring rules It appears that all of your rules are bi-directional. “<>”. Try making them single directional “->” -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Sep 2, 2014, at 11:41 AM, Sharif Uddin <Sharif.Uddin () spectrumasa com<mailto:Sharif.Uddin () spectrumasa com>> wrote: Hello I needs some help in writing some rules to test my network. I have set up snort, barnyard2, snorby on centos 7 My home network is ipvar HOME_NET [172.16.0.0/22,172.16.12.0/24,172.16.13.0/24,31.221.13.192/29,62.49.167.0/29,62.49.167.8/29,192.168.254.0/24,192.168.202.0/24,192.168.218.0/24,10.0.2.0/24,10.0.3.0/24,192.168.15.0/24,172.16.64.0/18,172.16.15.0/24,172.16.16.0/22,10.0.0.0/24,10.0.1.0/24,192.168.252.0/24,172.16.171.0/24,10.40.135.0/24,172.16.8.0/24,172.16.9.0/24,192.168.0.0/24,172.0.0.0/24,105.0.0.0/24,192.168.1.1/24,192.168.224.0/20,212.103.166.96/30] The following are some test rules which I put in local.rules alert icmp !$HOME_NET any <> $HOME_NET any (msg:"ICMP"; sid: 1000001; rev:1;) # external ping to internal network? alert tcp $HOME_NET any <> $HOME_NET any (content:"|00 01 86 a5|"; msg:"mountd access";sid:1000002;rev:1;) # found a sample online which has not responded to anything alert tcp !$HOME_NET :139 <> $HOME_NET any (msg:"NetBIOS Session";sid:1000003;rev:1;) # test external ip trying to mount alert tcp !$HOME_NET :445 <> $HOME_NET any (msg:"SMB over TCP";sid:1000004;rev:1;) # test external ip trying to mount Have I written them correctly? For my samba alerts I have found it also includes internal network, when I look at the source port on snorby, its not always 139 or 445. What am I doing wrong? Sharif IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email. Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation. Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF. ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email. Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation. Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF. IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email. Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation. Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF.
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- configuring rules Sharif Uddin (Sep 02)
- Re: configuring rules Joel Esler (jesler) (Sep 02)
- Re: configuring rules Sharif Uddin (Sep 02)
- Re: configuring rules Joel Esler (jesler) (Sep 02)
- Re: configuring rules Sharif Uddin (Sep 02)
- Re: configuring rules Joel Esler (jesler) (Sep 02)
- Re: configuring rules Sharif Uddin (Sep 03)
- Re: configuring rules Y M (Sep 03)
- Re: configuring rules Joel Esler (Sep 03)
- Re: configuring rules Joel Esler (Sep 03)
- Re: configuring rules Sharif Uddin (Sep 03)
- Re: configuring rules Sharif Uddin (Sep 04)
- Re: configuring rules Sharif Uddin (Sep 02)
- Re: configuring rules Joel Esler (jesler) (Sep 02)