Fear not, there is a way to do this. So let's use the same testing criteria I did in my last post, same rule, same set up.
- var HOME_NET any
- var EXTERNAL_NET any
Are specified in my snort.conf file
Run Snort against the pcap and I get:
[**] [1:10000001:0] Alert! [**][Priority: 0]03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32TCP Options (3) => NOP NOP TS: 63957188 2272801581
With the following rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Alert!"; content:"/content"; sid:10000001;)
Same as before, so now let's use the -S command line tag. The -S tag, as stated in snort --help is:
-S <n=v> Set rules file variable n equal to value v
So let's do that.
Command line is now:
snort -c snort.conf -l . -r snort.log.1269894717 -k none -S HOME_NET=192.168.0.0/16
Run Snort against the pcap again:
[**] [1:10000001:0] Alert! [**][Priority: 0]03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32TCP Options (3) => NOP NOP TS: 63957188 2272801581
Alert. Same as before, okay, so now for the real test..
Reverse the direction of the HOME_NET:
snort -c snort.conf -l . -r snort.log.1269894717 -k none -S HOME_NET=72.14.0.0/16
No alert.
So, for those of you (100's of you?) that have been using -h to specify your HOME_NET on your command line, read my post yesterday and found out that it doesn't work that way...
Try -S, it'll do what you want.
No comments:
Post a Comment