[Snort-sigs] Newbie Rule Question

Brett.Gillett at ...772... Brett.Gillett at ...772...
Thu Aug 22 14:38:07 EDT 2002


Hey everyone,

I am trying to write a snort rule that will capture invalid packets from a
specific source, I have come up with something, but it doesn't seem to be
working.  If I run tcpdump I can see the source and the bad packet but
snort does not alert on it... Here's the rule

alert tcp a.b.c.0/24 any -> $INTERNAL any {flags: 1+; msg: "XXX Unusal
Packet";)

I also tried it with alert ip and still no luck.  Any suggestions??

TIA,

Brett





More information about the Snort-sigs mailing list