Re: [Snort-users] Port Negation not working?

Paul,

Thought of something you could try. Add a pass rule for port 25 for
each of the 'ip' rules that are firing on the MIME encoded SMTP traffic,
e.g.

pass tcp $EXTERNAL_NET any -> $HOME_NET 25 \
(msg:"No alert port 25 - SHELLCODE base64 x86 NOOP"; \
content:"RERERERERERERERERERERERERERERERER"; sid:10000001;)


Todd

Todd Wease wrote:
> Hello Paul,
>
> Since the rule is an 'ip' rule, the port is insignificant.
>
>
> Todd
>
> Paul Melson wrote:
>
>> Because of a high number of false positives caused by MIME-encoded file
>> attachments, I have modified most of the shellcode/nop rules on one of our
>> sensors so that they should ignore SMTP traffic. However, I have a handful
>> of rules that still fire on SMTP traffic. Here's one example.
>>
>> Original rule:
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE base64 x86
>> NOOP"; \
>> content:"RERERERERERERERERERERERERERERERER"; metadata:policy security-ips
>> drop; \
>> classtype:shellcode-detect; sid:12801; rev:1;)
>>
>> Modified rule:
>> alert ip $EXTERNAL_NET any -> $HOME_NET !25 (msg:"SHELLCODE base64 x86
>> NOOP"; \
>> content:"RERERERERERERERERERERERERERERERER"; metadata:policy security-ips
>> drop; \
>> classtype:shellcode-detect; sid:12801; rev:1;)
>>
>> I still get alerts from the modified rule for SMTP traffic containing the
>> "RERERE..." string. I know that the rule/port syntax has been modified in
>> 2.8 to allow port lists, but according to the manual[1], this syntax should
>> still work for port negation. Am I missing something?
>>
>> Thanks,
>> PaulM
>>
>> [1] http://www.snort.org/docs/snort_htma...0/node169.html
>>
>>
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/...fo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.p...st=snort-users
>>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users
>


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users