[Snort-sigs] Snort - problem

eirinina at ...3092... eirinina at ...3092...
Thu Jun 16 12:54:21 EDT 2005


I installed Snort in a workstation in order to capture abnormal activities, 
such as outcoming uncrupted information.  

I type: 

snort -den -l ../log -h xxx.xxx.xxx.xxx./32 -c ../etc/snort/conf 

in order to enable NIDS mode and I made a file name find.rules with the following rule: 

alert tcp any any -> any any (msg:"Content test found"; content:"test";) 

The problem is that Snort generates alerts only for incoming packets that contain the 
word "test". I care about the outcoming packets. What should I change? 

I also installed a apache web server and I captured packets from external network 
to server. But, I want exactly the opposite. To capture outcoming packets from the 
workstation to the external network. 

(I am trying to do all the above because I want to protect the workstation from 
social engineering attacks. Is this feasible???) 

If the above cannot be done, should I install Snort in a switch? 

Thank you, 

More information about the Snort-sigs mailing list