[Snort-sigs] Rules

Mathias Gygax mg at ...1642...
Tue Jul 1 06:24:21 EDT 2003


On Die, Jul 01, 2003 at 09:54:55 -0300, Vanio Rogerio Santos wrote:
> Hi,

hi,

> I have installed the Snort 2.0.0 and I want to know how to make one rule to 
> block traffic when I receive the following messages:
> 
> [**] [1:2003:2] MS-SQL Worm propagation attempt [**]
> [Classification: Misc Attack] [Priority: 2]
> 07/01-09:57:47.857720 63.167.29.155:1226 -> 10.17.46.10:1434
> UDP TTL:113 TOS:0x0 ID:21995 IpLen:20 DgmLen:404
> Len: 376
> [Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref => 
> http://www.securityfocus.com/bid/5311][Xref => 
> http://www.securityfocus.com/bid/5310]

take a look at:

Package: swatch
Description: log file viewer with regexp matching, highlighting, & hooks
 Swatch is designed to monitor system activity.  It reads a configuration
 file which contains pattern(s) to look for and action(s) to perform when
 each pattern is found.

 A typical action is echoing the matched line in a variety of colours and
 formats including reverse video, bold, underline, and normal, which swatch
 knows how to do internally.  Other actions include sending mail or
 executing an arbitrary program on the line.

 Swatch is written in Perl and uses Perl regular expressions for line
 matching.

try to connect swatch and snort and add a hook to block the detected
servers.

HTH

 - regards, turrican




More information about the Snort-sigs mailing list