[Snort-sigs] Alert rules

Nigel Houghton nigel at ...435...
Thu Mar 9 14:37:03 EST 2006


On  0, FRANK SORNATALE <sornatale at ...12...> allegedly wrote:
> Was wondering if anyone can help me figure out these rules:  Please i 
> really need the help from some experience users.
> 
> 1. Create an alert from any incoming packets from source address 
> 66.35.250.203, source port 80 to any machine on the internal network.
> 
> 2. Create an alert for any incoming packet whose contents contain "tcpdump" 
> (case sensitive).
> 
> 3. Create an alert for any outgoing packets that list the CUPS protocol.
> 
> 4. Create an alert for any packet that attempts to CREATE an ssh connection.
> 
> 5. Create an alert for any packet whose contents contain the word "bard" 
> (not case sensitive).
> 
> 7. Create an alert for any packets from source 172.17.76.1 and whose 
> destination is 172.17.76.3, that contains the keyword "diffie".
> 
> 8. Create an alert for any packets whose destination port (on the trusted, 
> internal network) is 50146.
> 
> 9. Create an alert for any outgoing packets whose source port is 42637 and 
> whose contents contains the keyword "firefox" (case insensitive).
> 
> 10. Create an alert for any packets that contain a source or destination IP 
> address within the 192.168.0.0/24 domain.
 
These are very simple rules to write. Please look at the snort manual
and existing rules to answer your own questions. 

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.




More information about the Snort-sigs mailing list