[Snort-sigs] Alert rules
bmc at ...95...
Fri Mar 10 07:20:09 EST 2006
Please do not write these rules for Frank. Frank is trying to get
you to do his homework for him. When he asked me for help earlier, I
pointed him at the manual. He needs to learn, not cheat.
On Mar 9, 2006, at 3:34 PM, FRANK SORNATALE wrote:
> Was wondering if anyone can help me figure out these rules: Please
> i really need the help from some experience users.
> 1. Create an alert from any incoming packets from source address
> 18.104.22.168, source port 80 to any machine on the internal network.
> 2. Create an alert for any incoming packet whose contents contain
> "tcpdump" (case sensitive).
> 3. Create an alert for any outgoing packets that list the CUPS
> 4. Create an alert for any packet that attempts to CREATE an ssh
> 5. Create an alert for any packet whose contents contain the word
> "bard" (not case sensitive).
> 7. Create an alert for any packets from source 172.17.76.1 and
> whose destination is 172.17.76.3, that contains the keyword "diffie".
> 8. Create an alert for any packets whose destination port (on the
> trusted, internal network) is 50146.
> 9. Create an alert for any outgoing packets whose source port is
> 42637 and whose contents contains the keyword "firefox" (case
> 10. Create an alert for any packets that contain a source or
> destination IP address within the 192.168.0.0/24 domain.
>> From: snort-sigs-request at lists.sourceforge.net
>> To: sornatale at ...12...
>> Subject: Welcome to the "Snort-sigs" mailing list
>> Date: Thu, 09 Mar 2006 12:32:02 -0800
>> Welcome to the Snort-sigs at lists.sourceforge.net mailing list!
>> To post to this list, send your email to:
>> snort-sigs at lists.sourceforge.net
>> General information about the mailing list is at:
>> If you ever want to unsubscribe or change your options (eg, switch to
>> or from digest mode, change your password, etc.), visit your
>> subscription page at:
>> You can also make such adjustments via email by sending a message to:
>> Snort-sigs-request at lists.sourceforge.net
>> with the word `help' in the subject or body (don't include the
>> quotes), and you will get back a message with instructions.
>> You must know your password to change your options (including
>> the password, itself) or to unsubscribe. It is:
>> If you forget your password, don't worry, you will receive a monthly
>> reminder telling you what all your lists.sourceforge.net mailing list
>> passwords are, and how to unsubscribe or change your options. There
>> is also a button on your options page that will email your current
>> password to you.
>> You may also have your password mailed to you automatically off of
>> Web page noted above.
> Don’t just search. Find. Check out the new MSN Search! http://
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> that extends applications into web and mobile media. Attend the
> live webcast
> and join the prime developer group breaking into this new coding
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs