[Snort-sigs] Alert rules

FRANK SORNATALE sornatale at ...12...
Thu Mar 9 14:49:02 EST 2006


I know you say these are very basic rules but i have never delt with snort.  
As a matter of fact i never delt with networking.  That is why i need help 
because even when i look at the manual i get confused as i get more into it.


>From: Nigel Houghton <nigel at ...435...>
>Reply-To: snort-sigs at lists.sourceforge.net
>To: FRANK SORNATALE <sornatale at ...12...>
>CC: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] Alert rules
>Date: Thu, 9 Mar 2006 16:36:25 -0600
>
>On  0, FRANK SORNATALE <sornatale at ...12...> allegedly wrote:
> > Was wondering if anyone can help me figure out these rules:  Please i
> > really need the help from some experience users.
> >
> > 1. Create an alert from any incoming packets from source address
> > 66.35.250.203, source port 80 to any machine on the internal network.
> >
> > 2. Create an alert for any incoming packet whose contents contain 
>"tcpdump"
> > (case sensitive).
> >
> > 3. Create an alert for any outgoing packets that list the CUPS protocol.
> >
> > 4. Create an alert for any packet that attempts to CREATE an ssh 
>connection.
> >
> > 5. Create an alert for any packet whose contents contain the word "bard"
> > (not case sensitive).
> >
> > 7. Create an alert for any packets from source 172.17.76.1 and whose
> > destination is 172.17.76.3, that contains the keyword "diffie".
> >
> > 8. Create an alert for any packets whose destination port (on the 
>trusted,
> > internal network) is 50146.
> >
> > 9. Create an alert for any outgoing packets whose source port is 42637 
>and
> > whose contents contains the keyword "firefox" (case insensitive).
> >
> > 10. Create an alert for any packets that contain a source or destination 
>IP
> > address within the 192.168.0.0/24 domain.
>
>These are very simple rules to write. Please look at the snort manual
>and existing rules to answer your own questions.
>
>+--------------------------------------------------------------------+
>      Nigel Houghton      Research Engineer       Sourcefire Inc.
>                    Vulnerability Research Team
>
>          There is no theory of evolution, just a list
>             of creatures Vin Diesel allows to live.
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live 
>webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/





More information about the Snort-sigs mailing list