[Snort-sigs] SNORT HELP
mkettler at ...189...
Mon Sep 22 08:18:04 EDT 2003
At 03:02 PM 9/19/2003, acastellani at ...1891... wrote:
>Is there a location I can submit questions for help with Snort. We are
>running 2.0 and would like to set Snort to monitor and alarm all outgoing
>port 80 traffic. I am not sure if there is a group I could submit these
>type of questions too.
In general I'd suggest asking them on the snort-users mailing list for
general questions. If you're doing custom rule development, then this
list (snort-sigs) would be proper one, but anything else should go to the
Also in the case of general questions be sure to stop by the www.snort.org
website and check the faq first.
As for your specific question, it has to do with rule development, so this
is the proper list for it.
You didn't really specify if the outbound traffic was from port 80, or to
port 80, so I made rules for each. I'm also assuming that you're interested
tcp port 80, not udp port 80.
If you want to alert on all outgoing traffic _TO_ port 80 you might want
something like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"outbound traffic to http
If you want all outgoing traffic _FROM_ port 80 on your end:
alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"outbound traffic from
local http server"; sid:1000001; rev:1;)
If you only want to catch the fact that a connection was established, add
"flags:S+;" between the msg and the sid parts, as it stands these rules
will alert for each and every packet on the local half of a http conversation.
More information about the Snort-sigs