Hello Richard,
I believe something like the following should work, without the use of 'flow'
in the rule.
alert tcp any !PORTS -> any !PORTS
The rule needs apply to packets going to and coming from the ports in the PORTS
list. I have not found the "->" token to do anything to enforce direction
since at least 2.4.3. I've had to rely on the 'flow' option to enforce a
packet direction for TCP sessions.
I would use something like this:
alert tcp any any -> any !PORTS ( flow:to_server,established; ... )
From the best of my knowledge using option 'flow:to_server, established;' does
two things 1. prevents your alert from triggering until a flow is
"established" and 2. prevents alerting on return packets related to the
established flow.
-John
Richard Bejtlich wrote:
On 10/8/07, Matthew Watchinski <mwatchinski@sourcefire.com> wrote:
Richard Bejtlich wrote:
Say I create this snort.conf:
portvar MY_HTTP_PORTS [80,81,82,83,88,8000,8008,8080]
alert tcp any any -> any !$MY_HTTP_PORTS (msg:"Example Not"; sid:4;)
It alerts because
192.168.2.105:50970 -> 192.168.2.103:8000
is no different than
192.168.2.103:8000 -> 192.168.2.105:50970
cause you are running with any any -> any !PORTS
any any matches both 192.168.2.105:50970 -> 192.168.2.103:8000
and 192.168.2.103:8000 -> 192.168.2.105:50970
Hi Matt,
Thanks for your comments. I don't understand why these packets are
"no different". The MY_HTTP_PORTS variable includes 8000. If I
negate MY_HTTP_PORTS in my rule, why do I get an alert on
192.168.2.105:50970 -> 192.168.2.103:8000? Is it because port 8000 in
the packet is not other ports in the variable, like 80, 81, etc.?
Let's try another angle in a new snort.conf.
portvar NOT_MY_HTTP_PORTS [!80,!81,!82,!83,!88,!8000,!8008,!8080]
alert tcp any any -> any $NOT_MY_HTTP_PORTS (msg:"Example Not"; sid:5;)
This time, Snort reports only one alert.
10/08-17:00:07.050091 [**] [1:5:0] Example Not [**] [Priority: 0]
{TCP} 192.168.2.103:8000 -> 192.168.2.105:53298
This I can't reproduce my test alerts on the same packets as the first
rule. Updating it with flow:to_server,established makes it behave as
desired.
This doesn't make sense either. I'm running
snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.8.0 IPv6 (Build 67) FreeBSD
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.
Using PCRE version: 6.6 06-Feb-2006
Before I ask any other questions, are you running the equivalent?
By the way, does your mention of adding "flow" mean the direction
identifier -> is actually just a placeholder, and not doing anything
these days?
Thank you,
Richard
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
