|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] rule help for a beginner [long sorry]
From: Alejandro Flores (alejandro.flores
triforsec.com.br)
Date: Wed Apr 14 2004 - 19:03:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
Try using this way:
alert tcp $HOME_NET any -> !$LIVEMEETING !80
$EXTERNAL_NET is everybody.
!$LIVEMEETING = is everybody, except $LIVEMEETING
Regards,
Alejandro Flores
> Hello,
>
> I am trying to modify an existing rule that is giving me some problems:
>
> # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
> # All rights reserved.
> # $Id: p2p.rules,v 1.11 2003/10/20 15:03:11 chrisgreen Exp $
> #-------------
> # P2P RULES
> #-------------
> # These signatures look for usage of P2P protocols, which are usually
> # against corporate policy
>
>
> This link below does state that " Any HTTP GET request to a port associated
> with a p2p application may generate a false positive event."
>
> http://www.snort.org/snort-db/sid.html?sid=1432
>
> So I should I guess be expecting it, even thoughit appears to be a false
> positive in my environment. I have users that connect to MS Livemeeting
> service and every time they do, this rule is triggered:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
> flow:to_server,established; content:"GET "; offset:0; depth:4;
> classtype:policy-violation; sid:1432; rev:4;)
>
> Alarms:
> =====================================================
> Apr 13 17:06:53 snort1 snort: [1:1432:4] P2P GNUTella GET
> [Classification: Potential Corporate Privacy Violation] [Priority: 1]:
> {TCP} 172.16.15.32:40361 -> 204.176.46.191:8005
> Apr 13 17:09:41 snort1 snort: [1:1432:4] P2P GNUTella GET
> [Classification: Potential Corporate Privacy Violation] [Priority: 1]:
> {TCP} 172.16.5.57:2821 -> 204.176.46.185:8005
> Apr 13 17:40:57 snort1 snort: [1:1432:4] P2P GNUTella GET
> [Classification: Potential Corporate Privacy Violation] [Priority: 1]:
> {TCP} 172.16.15.32:40541 -> 204.176.46.191:8005
> Apr 13 17:43:06 snort1 snort: [1:1432:4] P2P GNUTella GET
> [Classification: Potential Corporate Privacy Violation] [Priority: 1]:
> {TCP} 172.16.15.4:7407 -> 204.176.46.190:8005
> =====================================================
>
> whois data:
> =====================================================
> doylespar:~> whois 204.176.46.191
> UUNET Technologies, Inc. UUNETCBLK176-179 (NET-204-176-0-0-1)
> 204.176.0.0 - 204.179.255.255
> Placeware, Inc. UU-204-176-46-D2 (NET-204-176-46-0-1)
> 204.176.46.0 - 204.176.46.255
> =====================================================
> Placeware=livemeeting now that MS bought them.
> ================================
>
> I have added a variable to my snort.conf to use in the rule:
>
> # modify the p2p rule to avoid detection on the livemeeting servers.
> var LIVEMEETING 204.176.46.0/24
>
> And I have modified the rule as follows adding the !$LIVEMEETING and the []:
>
> alert tcp $HOME_NET any -> [$EXTERNAL_NET,!$LIVEMEETING] !80 (msg:"P2P
> GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4;
> classtype:policy-violation; sid:1432; rev:4;)
>
> Then restarted everything with no complaints from the logs, but I still seem
> to get the alarms.
>
> snort1:/var/log/snort/204.176.46.190 # cat TCP\:8005-7407
> [**] P2P GNUTella GET [**]
> 04/13-17:43:06.769467 172.16.15.4:7407 -> 204.176.46.190:8005
> TCP TTL:128 TOS:0x0 ID:30612 IpLen:20 DgmLen:267 DF
> ***AP*** Seq: 0xA5D85ECC Ack: 0xE00C147 Win: 0xFD5C TcpLen: 20
> 47 45 54 20 2F 70 61 67 65 20 48 54 54 50 2F 31 GET /page HTTP/1
> 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 .1..User-Agent:
> 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D Mozilla/4.0 (com
> 70 61 74 69 62 6C 65 20 3B 20 4D 53 49 45 20 36 patible ; MSIE 6
> 2E 30 2E 32 38 30 30 2E 31 31 30 36 20 3B 20 4D .0.2800.1106 ; M
> 69 63 72 6F 73 6F 66 74 20 57 69 6E 64 6F 77 73 icrosoft Windows
> 20 32 30 30 30 20 53 65 72 76 69 63 65 20 50 61 2000 Service Pa
> 63 6B 20 33 20 3B 20 50 6C 61 63 65 77 61 72 65 ck 3 ; Placeware
> 20 52 50 43 20 31 2E 30 29 0D 0A 48 6F 73 74 3A RPC 1.0)..Host:
> 20 76 61 70 77 62 64 2E 6F 70 73 2E 70 6C 61 63 vapwbd.ops.plac
> 65 77 61 72 65 2E 63 6F 6D 3A 38 30 30 35 0D 0A eware.com:8005..
> 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 Connection: Keep
> 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43 6F -Alive..Cache-Co
> 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D ntrol: no-cache.
> 0A 0D 0A
>
>
> Is there something very obvious that I am doing wrong?
> Thanks
> Eamonn
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
--TriForSec
http://www.triforsec.com.br/
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]