P. 1
Snort Manual

Snort Manual

|Views: 362|Likes:
Published by Jose Chuncano

More info:

Published by: Jose Chuncano on Sep 11, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/02/2013

pdf

text

original

The direction operator -> indicates the orientation, or direction, of the traffic that the rule applies to. The IP address
and port numbers on the left side of the direction operator is considered to be the traffic coming from the source

log udp any any -> 192.168.1.0/24 1:1024

log udp traffic coming from any port and destination ports ranging from 1 to 1024

log tcp any any -> 192.168.1.0/24 :6000

log tcp traffic from any port going to ports less than or equal to 6000

log tcp any :1024 -> 192.168.1.0/24 500:

log tcp traffic from privileged ports less than or equal to 1024 going to ports greater than or equal to 500

Figure 3.4: Port Range Examples

174

log tcp any any -> 192.168.1.0/24 !6000:6010

Figure 3.5: Example of Port Negation

log tcp !192.168.1.0/24 any <> 192.168.1.0/24 23

Figure 3.6: Snort rules using the Bidirectional Operator

host, and the address and port information on the right side of the operator is the destination host. There is also a
bidirectional operator, which is indicated with a <> symbol. This tells Snort to consider the address/port pairs in
either the source or destination orientation. This is handy for recording/analyzingboth sides of a conversation,such as
telnet or POP3 sessions. An example of the bidirectional operator being used to record both sides of a telnet session is
shown in Figure 3.6.

Also, note that there is no <- operator. In Snort versions before 1.8.7, the direction operator did not have proper
error checking and many people used an invalid token. The reason the <- does not exist is so that rules always read
consistently.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->