Results 1 to 3 of 3

Thread: writing Snort rules

Hybrid View

  1. #1
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    Question writing Snort rules

    I'm learning to write snort rules. Wow, some are really straight forward, and some are "out there."

    It occurred to me that Snort is really busy -- after going through some of the thousands of signatures. (yes, I know, don't run the ones you don't have to.)

    Is anyone aware of efforts to setup a rule-set that will monitor traffic that your network is *supposed* to be doing -- and flag on anything that it sees out of the ordinary? Kinda like a “reverse application” of the filtering scheme. It seems to me, that rather than looking for the possible thousands of signatures, hoping you have one to detect the event, it might be easier to ignore the allowed traffic and flag on any unusual stuff -- like the dude trying to run the SSH shell through port 80, or IRC on an “un-authorized” port.

    How would you go about writing such a rule that says "this SSH traffic on this box is OK, flag all others" ?

    This may be a good way to help detect covert channels – or a good way to fill your logs with a billion false-positives…

    Just a thought...

  2. #2
    create a variable in your snort.conf for you ssh boxes

    Code:
    var SSH_SERVERS [10.10.1.1/32,10.10.1.2/32,10.10.1.84/32]
    create a rule, local.rules is a good place.

    Code:
    alert tcp any any -> !$SSH_SERVERS 22 (msg:"Some crazy SSH traffic on non-SSH server";)
    You could get fancy and check the content to make sure it is true SSH traffic and not just something hitting port 22. But there is a quick and lazy way to do what you want.

  3. #3
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    Thumbs up thanks

    cool. Thanks. didn't think of a big ol' NOT...

    will try it out.

Similar Threads

  1. Snort doc/signatures & rules update
    By phishphreek in forum IDS & Scanner Discussions
    Replies: 0
    Last Post: April 10th, 2006, 07:23 PM
  2. Sony DRM phone home Bleeding Snort IDS rules
    By phishphreek in forum Spyware / Adware
    Replies: 2
    Last Post: November 16th, 2005, 09:28 PM
  3. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 03:03 AM
  4. A look into IDS/Snort part 2 of 3 by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 3
    Last Post: January 25th, 2004, 11:47 PM
  5. Replies: 1
    Last Post: April 17th, 2003, 10:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •