Re: rule exclusion by content

["Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>]

You can negate content:

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION00451000000000000000

Taken from the “note” section

Note:

A ! modifier negates the results of the entire content search, modifiers included. For example, if using content:!"A"; 
within:50; and there are only 5 bytes of payload and there is no "A" in those 5 bytes, the result will return a match. 
If there must be 50 bytes for a valid match, use isdataat as a pre-cursor to the content.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> on behalf of 
"lravelo () us hellmann net<mailto:lravelo () us hellmann net>" <lravelo () us hellmann net<mailto:lravelo () us 
hellmann net>>
Date: Thursday, July 13, 2017 at 11:52 AM
To: "snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>" <snort-sigs () lists snort 
org<mailto:snort-sigs () lists snort org>>
Subject: [Snort-sigs] rule exclusion by content

Good morning,

I have this rule which generates way too many alerts in squert:

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt"; 
sid:19187; gid:3; rev:7; classtype:attempted-user; reference:cve,2011-1889; 
reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-040; metadata: engine shared, soid 3|19187, policy 
max-detect-ips drop;)

we use OpenDNS in our environment and it seems like every single alert contains "opendns" somewhere in the content.  
I'm sure there's a way to adjust or create another rule which negates the alert if the payload contains the word 
"opendns" but I've not seen any examples of this online.  Any help is appreciated :-)

Regards,

Lazaro Ravelo
ISS Systems Engineer II

Hellmann Worldwide Logistics Inc.
10450 Doral Blvd
Doral, FL  33178
Phone:  +1 305 406 4500
Fax:  +1 305 418 4992
Direct:  +1 305 406 4574
Mobile:  +1 305 927 1386
Email:  Lazaro.Ravelo () us hellmann net<mailto:Lazaro.Ravelo () us hellmann net>
Web:  www.hellmann.com<http://www.hellmann.net/>
[cid:_2_0D401B3C0D400CB00057323E8525815C]
THINKING AHEAD - MOVING FORWARD

07/13/2017----11:43:39 AM


> Disclaimer: Please note that Internet communications are not secure and therefore HELLMANN WORLDWIDE LOGISTICS does 
> not accept legal responsibility for the contents of this message. This e-mail is intended only for the use of the 
> individual or entity named above and may contain information that is confidential and privileged. If you are not the 
> intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly 
> prohibited. Opinions, conclusions and other information in this message that do not relate to the official business of 
> HELLMANN WORLDWIDE LOGISTICS shall be understood as neither given nor endorsed by it. Viruses: HELLMANN WORLDWIDE 
> LOGISTICS takes all possible steps to ensure that emails are virus free, but does not accept any liability or 
> responsibility whatsoever for any claims, losses or damages arising as a result of any party accessing this email or 
> files attached to it.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!