[Snort-sigs] Alert rules

Brian Caswell bmc at ...95...
Fri Mar 10 07:20:09 EST 2006


Please do not write these rules for Frank.  Frank is trying to get  
you to do his homework for him.  When he asked me for help earlier, I  
pointed him at the manual.  He needs to learn, not cheat.

Thanks,
Brian

On Mar 9, 2006, at 3:34 PM, FRANK SORNATALE wrote:

> Was wondering if anyone can help me figure out these rules:  Please  
> i really need the help from some experience users.
>
> 1. Create an alert from any incoming packets from source address  
> 66.35.250.203, source port 80 to any machine on the internal network.
>
> 2. Create an alert for any incoming packet whose contents contain  
> "tcpdump" (case sensitive).
>
> 3. Create an alert for any outgoing packets that list the CUPS  
> protocol.
>
> 4. Create an alert for any packet that attempts to CREATE an ssh  
> connection.
>
> 5. Create an alert for any packet whose contents contain the word  
> "bard" (not case sensitive).
>
> 7. Create an alert for any packets from source 172.17.76.1 and  
> whose destination is 172.17.76.3, that contains the keyword "diffie".
>
> 8. Create an alert for any packets whose destination port (on the  
> trusted, internal network) is 50146.
>
> 9. Create an alert for any outgoing packets whose source port is  
> 42637 and whose contents contains the keyword "firefox" (case  
> insensitive).
>
> 10. Create an alert for any packets that contain a source or  
> destination IP address within the 192.168.0.0/24 domain.
>
>
>
>> From: snort-sigs-request at lists.sourceforge.net
>> To: sornatale at ...12...
>> Subject: Welcome to the "Snort-sigs" mailing list
>> Date: Thu, 09 Mar 2006 12:32:02 -0800
>>
>> Welcome to the Snort-sigs at lists.sourceforge.net mailing list!
>>
>> To post to this list, send your email to:
>>
>>   snort-sigs at lists.sourceforge.net
>>
>> General information about the mailing list is at:
>>
>>   https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>> If you ever want to unsubscribe or change your options (eg, switch to
>> or from digest mode, change your password, etc.), visit your
>> subscription page at:
>>
>>   https://lists.sourceforge.net/lists/options/snort-sigs/sornatale% 
>> 40hotmail.com
>>
>>
>> You can also make such adjustments via email by sending a message to:
>>
>>   Snort-sigs-request at lists.sourceforge.net
>>
>> with the word `help' in the subject or body (don't include the
>> quotes), and you will get back a message with instructions.
>>
>> You must know your password to change your options (including  
>> changing
>> the password, itself) or to unsubscribe.  It is:
>>
>>   sornatale
>>
>> If you forget your password, don't worry, you will receive a monthly
>> reminder telling you what all your lists.sourceforge.net mailing list
>> passwords are, and how to unsubscribe or change your options.  There
>> is also a button on your options page that will email your current
>> password to you.
>>
>> You may also have your password mailed to you automatically off of  
>> the
>> Web page noted above.
>
> _________________________________________________________________
> Don’t just search. Find. Check out the new MSN Search! http:// 
> search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting  
> language
> that extends applications into web and mobile media. Attend the  
> live webcast
> and join the prime developer group breaking into this new coding  
> territory!
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list