[Snort-sigs] SNORT HELP

Matt Kettler mkettler at ...189...
Mon Sep 22 08:18:04 EDT 2003

At 03:02 PM 9/19/2003, acastellani at ...1891... wrote:
>Is there a location I can submit questions for help with Snort.  We are
>running 2.0 and would like to set Snort to monitor and alarm all outgoing
>port 80 traffic.  I am not sure if there is a group I could submit these
>type of questions too.

In general I'd suggest asking them on the snort-users mailing list for 
general questions. If you're doing custom rule development, then this 
list  (snort-sigs) would be proper one, but anything else should go to the 
snort-users list.

Also in the case of general questions be sure to stop by the www.snort.org 
website and check the faq first.

As for your specific question, it has to do with rule development, so this 
is the proper list for it.

You didn't really specify if the outbound traffic was from port 80, or to 
port 80, so I made rules for each. I'm also assuming that you're interested 
tcp port 80, not udp port 80.

If you want to alert on all outgoing traffic _TO_ port 80 you might want 
something like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"outbound traffic to http 
server";sid:1000000; rev:1;)

If you want all outgoing traffic _FROM_ port 80 on your end:

alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"outbound traffic from 
local http server"; sid:1000001; rev:1;)

If you only want to catch the fact that a connection was established, add 
"flags:S+;" between the msg and the sid parts, as it stands these rules 
will alert for each and every packet on the local half of a http conversation.

More information about the Snort-sigs mailing list