86
Chapter 3     Working with Snort Rules
alert icmp ![192.168.2.0/24] any  > any any \
   (msg: "Ping with TTL=100";  ttl: 100;)
This rule is useful, for instance, when you want to test packets that don't originate
from your home network (which means you trust everyone in your home network!).
3.5.3.2
Address Lists
You can also specify list of addresses in a Snort rule. For example, if your home
network consists of two C class IP networks 192.168.2.0 and 192.168.8.0 and you want
to apply the above rule to all addresses but hosts in these two, you can use the following
modified rule where the two addresses are separated by a comma.
alert icmp ![192.168.2.0/24,192.168.8.0/24] any  > any \
    any (msg: "Ping with TTL=100";  ttl: 100;)
Note that a square bracket is used with the negation symbol. You don't need to use
brackets if you are not using the negation symbol.
3.5.4
Port Number
The port number is used to apply a rule on packets that originate from or go to a
particular port or a range of ports. For example, you can use source port number 23 to
apply a rule to those packets that originate from a Telnet server. You can use the key 
word any to apply the rule on all packets irrespective of the port number. Port number is
meaningful only for TCP and UDP protocols. If you have selected IP or ICMP as the
protocol in the rule, port number does not play any role. The following rule is applied to
all packets that originate from a Telnet server in 192.168.2.0/24, which is a class C net 
work and contains the word  confidential :
alert tcp 192.168.2.0/24 23  > any any \
    (content: "confidential"; msg: "Detected confidential";)
The same rule can be applied to traffic either going to or originating from any Tel 
net server in the network by modifying the direction to either side as shown below:
alert tcp 192.168.2.0/24 23 <> any any \
    (content: "confidential"; msg: "Detected confidential";)
Port numbers are useful when you want to apply a rule only for a particular type of
data packet. For example, if a vulnerability is related to only a HTTP (Hyper Text
Transfer Protocol) web server, you can use port 80 in the rule to detect anybody trying
to exploit it. This way Snort will apply that rule only to web server traffic and not to any
other TCP packets. Writing good rules always improves the performance of IDS.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved