Re: [Snort-sigs] Rule for identifying all trafic except the specefied

Le Jeudi 15 Juin 2006 15:38, Rajkumar S a écrit :
> Jeff Kell wrote:
> > > fwsam is used for snortsam, for blocking the ip using alerts of snort.
> > > Now I want to negate this rule to alert all streams that do not match
> > > this rule. When I try to use ! operator I get an error about Pure not
> > > rule. I am using snort 2.4.5
> >
> > You could change that to a pass rule, then do an unconditional alert
> > without content for the rest.  But be careful what you wish for :-) 
> > You'll probably want to threshold it or something similar.
>
> That was not working as I wanted, most probably due to my incompetence. But
> after much trial and error, I found another set of rules that works.
>
>
> alert tcp any any ->  192.168.3.74 20 (msg:"Foo rule";
> flow:to_server,established; content:"FOOBAR"; flowbits:set,allblock;
> flowbits:noalert;)
>
> alert tcp any any -> 192.168.3.74 20 (msg:"Test Rule"; rev:1;
> pcre:"/.*/sm"; flowbits:isnotset,allblock; fwsam: src, 10 minutes;)

I don't understand why there is the need for the pcre. It looks useless to me.

Furthermore, these rules will  only detect something strange on the FTP-DATA 
port. The exploits are more currently using commands (port 21). 

Last but not least, if you really want to look  pattern in the DATA traffic,   
it won't work when the client is using the passive mode. The FTP-DATA port is 
no more longer 20, but an arbitrary port.



Thierry 


_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs