Snort mailing list archives
Re: Snort Rule Creation
From: John G <drterdnugget () gmail com>
Date: Tue, 31 Jan 2017 20:04:52 -0600
Hey Joel. Yes I do. I just left is an "any" because i was trying everything to get it to alert lol But we are thinking that the issue is not rule related. On Tue, Jan 31, 2017 at 7:57 PM, Joel Esler (jesler) <jesler () cisco com> wrote:
You know you can do ![80,443] as ports right? -- Sent from my iPhone On Jan 31, 2017, at 8:50 PM, John G <drterdnugget () gmail com> wrote: That is from Sourcefire. This is what the actual rule looks like now. alert ip !Source address any <> [All, 8, destination, addresses] any (sid:1000000; gid:1; msg:"Unwanted Traffic"; classtype:tcp-connection; rev:5; ) The rule should work right? Might be an issue with the way our network is setup and where our ids is located. On Tue, Jan 31, 2017 at 7:41 PM, Desmond Agee <dezmondagee () yahoo com> wrote:What program is that a snap-shot of? Desmond Agee On Jan 31, 2017, at 8:27 PM, John G <drterdnugget () gmail com> wrote: Alright, so this is basically what I did. Alert ip !SOURCEIP any [8, Destination, IP's] any (msg:”Unauthorized TCP traffic initiated”;) I figured out that you can negate with ! in front of the IP's. To test it, I have been sending ping packets to the destination IP's from a source ip address that is NOT what i entered in the Source IP part of the rule. However, I am not receiving any alerts. Do i need to add arguments to look for tcp traffic? On Tue, Jan 31, 2017 at 5:58 PM, John G <drterdnugget () gmail com> wrote:Forgot to attach the screenshot. On Tue, Jan 31, 2017 at 5:09 PM, Joel Esler (jesler) <jesler () cisco com> wrote:Maybe something like: alert tcp $SOURCEIP any -> ![destip1, destip2, destip3] any (msg:”Unauthorized TCP traffic initiated”; flags:S; sid:1000000; rev:1;) ? *--* *Joel Esler *| *Talos:* Manager | jesler () cisco com On Jan 31, 2017, at 5:33 PM, John G <drterdnugget () gmail com> wrote: Good Afternoon everyone, My name is John and I am starting out with creating Snort rules. I have experience using Snort with IDS's such as Sourcefire and Security Onion for incident response. However, i don't have much experience creating custom rules. Although i once created a rule during one of my security classes during my undergrad program lol Anyway, i have been reading documentation for how to understand/create rules from a variety of sources. But I wanted to reach out to you guys and see what information you can provide. I have a device that is communicating with about 8 other devices. I would like to write a rule that alerts if it detects any communication outside of those devices. Is it possible to list multiple ip addresses within a rule and maybe use an is not "!=" attribute. So something like: alert tcp != sourceip1 80 -> destip1, destip2, destip3, etc (msg:"Alert Message";) I would appreciate any assistance and will continue to do my own research and see if i can figure it out on my own :) Regards, John ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot______ _________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation Joel Esler (jesler) (Jan 31)
- Re: Snort Rule Creation James Lay (Jan 31)
- Re: Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation Desmond Agee (Jan 31)
- Re: Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation Joel Esler (jesler) (Jan 31)
- Re: Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation Joel Esler (jesler) (Jan 31)