[Snort-sigs] Alert rules

Jason Brvenik jasonb at ...435...
Thu Mar 9 18:43:01 EST 2006


Frank,

Mail me privately and I'll be happy to help get you going.

FRANK SORNATALE wrote:
> I know you say these are very basic rules but i have never delt with
> snort.  As a matter of fact i never delt with networking.  That is why i
> need help because even when i look at the manual i get confused as i get
> more into it.
> 
> 
>> From: Nigel Houghton <nigel at ...435...>
>> Reply-To: snort-sigs at lists.sourceforge.net
>> To: FRANK SORNATALE <sornatale at ...12...>
>> CC: snort-sigs at lists.sourceforge.net
>> Subject: Re: [Snort-sigs] Alert rules
>> Date: Thu, 9 Mar 2006 16:36:25 -0600
>>
>> On  0, FRANK SORNATALE <sornatale at ...12...> allegedly wrote:
>> > Was wondering if anyone can help me figure out these rules:  Please i
>> > really need the help from some experience users.
>> >
>> > 1. Create an alert from any incoming packets from source address
>> > 66.35.250.203, source port 80 to any machine on the internal network.
>> >
>> > 2. Create an alert for any incoming packet whose contents contain
>> "tcpdump"
>> > (case sensitive).
>> >
>> > 3. Create an alert for any outgoing packets that list the CUPS
>> protocol.
>> >
>> > 4. Create an alert for any packet that attempts to CREATE an ssh
>> connection.
>> >
>> > 5. Create an alert for any packet whose contents contain the word
>> "bard"
>> > (not case sensitive).
>> >
>> > 7. Create an alert for any packets from source 172.17.76.1 and whose
>> > destination is 172.17.76.3, that contains the keyword "diffie".
>> >
>> > 8. Create an alert for any packets whose destination port (on the
>> trusted,
>> > internal network) is 50146.
>> >
>> > 9. Create an alert for any outgoing packets whose source port is
>> 42637 and
>> > whose contents contains the keyword "firefox" (case insensitive).
>> >
>> > 10. Create an alert for any packets that contain a source or
>> destination IP
>> > address within the 192.168.0.0/24 domain.
>>
>> These are very simple rules to write. Please look at the snort manual
>> and existing rules to answer your own questions.
>>
>> +--------------------------------------------------------------------+
>>      Nigel Houghton      Research Engineer       Sourcefire Inc.
>>                    Vulnerability Research Team
>>
>>          There is no theory of evolution, just a list
>>             of creatures Vin Diesel allows to live.
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by xPML, a groundbreaking scripting
>> language
>> that extends applications into web and mobile media. Attend the live
>> webcast
>> and join the prime developer group breaking into this new coding
>> territory!
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> _________________________________________________________________
> Don’t just search. Find. Check out the new MSN Search!
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 




More information about the Snort-sigs mailing list