Re: Quick Rule's Question...

[James Hoagland <hoagland () SiliconDefense com>]

At 1:28 PM -0500 3/6/02, Mark Taber wrote:
> Hi guys, and gals...
>
> I am having an issue with a web-misc 403 forbidden alert.  The alert is
> being triggered on a sensor that is hitting a trusted website.  I
> haven't been able to figure out why the machine that the sensor is on is
> trying to hit the website, so I thought that I might be able to write a
> rule to pass that particular IP.  I have never written a rule before and
> am not sure that I have written this one right, so I though I would send
> it out to be critiqued.  Thanks for the help.....
>
> (Rule that is in the web-misc file)
> alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-MISC 403
> Forbidden";flags: A+; content:"HTTP/1.1 403"; depth:12;
> classtype:attempted-recon; sid:1201; rev:2;)
>
> (Rule that I am creating)
> pass tcp $HTTP_SERVERS 80 -> x.x.x.x (IP Of Server on my network)
> (msg:"WEB-MISC 403 Forbidden";flags: A+; content:"HTTP/1.1 403";
> depth:12; classtype:attempted-recon; sid:1201; rev:2;)
>
> I believe I would need to run snort with the -o switch configured, is
> that correct?

This looks right except that you need to include 'any' or the actual 
port number as the destination port in your pass rule.

Enjoy,

  Jim

--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users