[Snort-sigs] Adding Changing Snort Rules

Imran William Smith iwsmith at ...500...
Sun Jun 9 18:07:03 EDT 2002

Snort running on any architecture can RUN the same rules, although 
some rules will only detect attacks on certain architectures.  E.g. snort
on Linux and snort on Win will both detect an attack to an Win IIS
web server if they see it.

Flow: is only supported in the 1.9 branch.

The snort manual (PDF format) has a section on adding new rules.
Also, see the RULES.SAMPLE file, which has been written as snort
goes along, explaining the new functionality in each release.  It's a bit
out of date because from snort 1.8, rules have signature id (sid:)
and a revision id (rev:).  But it's still worth having a look at.

To write new rules, you'll really need to use either snort
or tcpdump in 'show me all the packets' type of mode, to capture
something, then you tailor the signature to match what you see, worrying
about false negatives and false positives as you go.

Imran William Smith
Security Products Development
Mimos Bhd, Malaysia

----- Original Message ----- 
From: "Matt" <btc1 at ...608...>
To: "Snort" <snort-sigs at lists.sourceforge.net>
Sent: Friday, June 07, 2002 6:06 PM
Subject: [Snort-sigs] Adding Changing Snort Rules

Hello I was wondering if there is a down and dirty "howto" on
adding/changing new rules?
I have been using snort for a little over a month and would like to start
tweaking my rules a little. I have noticed some nice rules come thru here
that I think would be nice to try out on my home system(winxp/snort1.8.6)
and have struggled with an efficient way to go about adding/changing rules,
I end up taking two steps forward and ten steps back it seems and would like
to know if there is a better way?
Also I was wondering if there is a difference between rulesets for linux
platforms versus windows platforms?  I cant seem to run any rule that has
this(flow:to_server) in it and was wondering if it was for some other type
platform ??

I appreciate your comments and feedback

Sincere Thanks

Matthew S Barnes


Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list