Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] Rule for identifying all trafic except the specefied

from [Rajkumar S] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] Rule for identifying all trafic except the specefied
Date: Thu, 15 Jun 2006 19:47:56 +0530 
Chich Thierry wrote:

alert tcp any any ->  192.168.3.74 20 (msg:"Foo rule";
flow:to_server,established; content:"FOOBAR"; flowbits:set,allblock;
flowbits:noalert;)

alert tcp any any -> 192.168.3.74 20 (msg:"Test Rule"; rev:1;
pcre:"/.*/sm"; flowbits:isnotset,allblock; fwsam: src, 10 minutes;)



I don't understand why there is the need for the pcre. It looks useless to me.


Same here, but the rule was not working with out the pcre. Infact I wasted a 
lot of time 
trying to figure out why the rule was not working, and finally tried the pcre 
just as a 
trial and it worked.


Furthermore, these rules will  only detect something strange on the FTP-DATA 
port. The exploits are more currently using commands (port 21). 


Our objective was to flag an alert (and block using snortsam) if any traffic 
other than 
the one specefied was going to the ftp server.


Last but not least, if you really want to look  pattern in the DATA traffic,  
 
it won't work when the client is using the passive mode. The FTP-DATA port is 
no more longer 20, but an arbitrary port.


Agreed, will modify the rule here.

raj


_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] Rule for identifying all trafic except the specefied, Chich Thierry
Next by Date:  [Snort-sigs] Sourcefire VRT Certified Rules Update, Sourcefire VRT
Previous by Thread:  Re: [Snort-sigs] Rule for identifying all trafic except the specefied, Chich Thierry
Next by Thread:  [Snort-sigs] rule for Non-SSL traffic on SSL port?, Hellman, Matthew
Indexes:  [Date] [Thread] [Top] [All Lists]