[Snort-sigs] A question about Snort

adam.w.hogan adam.w.hogan at ...1605...
Thu Jun 12 10:56:26 EDT 2003


The way I have the P2P GNUTella GET rule is:

alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"P2P GNUTella
GET"; 
flow:to_server,established; content:"GET "; offset:0; depth:4; 
classtype:policy-violation; sid:1432; rev:4;)

Of coarse, you'll need to define $HTTP_PORTS in snort.conf.  Or you
could just replace !$HTTP_PORTS in the rule with ![80, 8080].

-Adam.

-----Original Message-----
From: Maria Teresa Herrera Hueso [mailto:mtherhue at ...1601...]
Sent: Tuesday, June 10, 2003 8:55 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] A question about Snort


Hello,

we have installed Snort 2.0. We would like to make our own alerts for
Snort.

We would like to modify this alert:

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; 
flow:to_server,established; content:"GET "; offset:0; depth:4; 
classtype:policy-violation; sid:1432; rev:4;)

to specify ! 80 and ! 8080, I mean, there were no alerts these ports( 80

and 8080) , but we do not know how to write it. How could we do it? 
Could you to send us a manual  about this, please?

Thank you very much.

Maite and Javi



-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list