This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Writing Rules for IPS in Ver 6: The FAQ is lacking

I have looked at the FAQ for this and it looks to be missing something.
For example from the FAQ...

Description: WEB-IIS cmd.exe access
Selector: tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
Filter: flow:to_server,established; uricontent:"cmd.exe"; nocase;

Anyone have a list of the selectors and filters you can use in creating a rule?
I can understand syntax but if you don't know what is allowed and what it does it makes it very difficult to write one from scratch.

On the $vars...how are these listed or how are they defined on the system?
Is $EXTERNAL_NET the name of the interface I called my "External NIC"?
Is $HTTP_SERVERS a name of a group I created in Astaro?
Is $HTTP_PORTS a name of a group I created?

This thread was automatically locked due to age.

Parents

0 Joe_Halleck over 17 years ago

Well after some digging I found a few things.

Snort.conf has the definitions I was questioning defined.
Lives here on astaro: /var/sec/chroot-snort/etc/snort/
The Astaro rule set lives here too and with that many examples it will help in writing some rules and using the FAQ will help now knowing those definitions that are defined.

snortrules-2.3.ini has some details that help too.
It lives here: /etc/snort
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Joe_Halleck over 17 years ago

Well after some digging I found a few things.

Snort.conf has the definitions I was questioning defined.
Lives here on astaro: /var/sec/chroot-snort/etc/snort/
The Astaro rule set lives here too and with that many examples it will help in writing some rules and using the FAQ will help now knowing those definitions that are defined.

snortrules-2.3.ini has some details that help too.
It lives here: /etc/snort
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data