OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Piers Williams (PiersWzinc.co.uk)
Date: Tue Jun 19 2001 - 08:45:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    hmm, that just means you're going to have to write a whole bunch of pass
    rules.
    My problem is similar: the 'MISC source port 53 access to <1024' rule goes
    off like _all_ the time.
            alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port
    53 to <1023";flags:S; reference:arachnids,7;)
    ...and its all perfectly legit DNS traffic that sets it off.

    I don't want to add
            pass tcp any 53 -> dnsservers 53
    as I still want the DNS traffic analysed for normal BIND attacks. So how to
    exclude the DNS traffic from the rule, short of writing something like:
            alert tcp $EXTERNAL_NET 53 -> !$DNS_SERVERS :1024 (msg:"MISC source
    port 53 to <1023";flags:S; reference:arachnids,7;)
            alert tcp $EXTERNAL_NET 53 -> $DNS_SERVERS :52 (msg:"MISC source
    port 53 to <1023";flags:S; reference:arachnids,7;) alert tcp
    $EXTERNAL_NET 53 -> $DNS_SERVERS 54:1024 (msg:"MISC source port 53 to
    <1023";flags:S; reference:arachnids,7;)

    which seems a bit arse, not least because (!$DNS_SERVERS) != ($HOME_NET &&
    !$DNS_SERVERS) as it were, as well as it involves editing the Misc.rules,
    rather than the local.rules (ie: there's no clean way of me re-applying my
    changes to the next ruleset release like there would be if all my
    'overrides' were in local.rules)

    BTW: Does snort chain the logic in IP ranges, ie would
            [$HOME_NET,!$DNS_SERVERS] be all the homenet IP's that weren't
    in the DNS_Servers range?

    > -----Original Message-----
    > From: Brian Caswell [mailto:bmcmitre.org]
    > Sent: 15 June 2001 14:02
    > To: Roeland Weve
    > Cc: snort-userslists.sourceforge.net
    > Subject: Re: [Snort-users] ignore host for just a couple of rules, not
    > all
    >
    >
    > Roeland Weve wrote:
    > > 47 45 54 20 2F 73 65 61 72 63 68 72 65 73 75 6C GET /searchresul
    > > 74 2F 2E 2E 2F 70 69 78 2F 6E 61 76 2F 6D 6F 5F t/../pix/nav/mo_
    > > 30 5F 61 2E 67 69 66 20 48 54 54 50 2F 31 2E 30 0_a.gif HTTP/1.0
    > > 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A ..Referer: http:
    > >
    > > I now exlude this host via:
    > > pass tcp any any -> hostip 80
    >
    > pass tcp any any -> hostip 80 (msg:"pass /../ where acceptable";
    > uricontent:"/../"; flags:A+;)

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users