[Snort-sigs] Alert rules

FRANK SORNATALE sornatale at ...12...
Mon Mar 13 09:15:03 EST 2006


I worked on these rules and I was wondering if you could let me know what I 
could be missing.

3. Create an alert for any outgoing packets that list the CUPS protocol.

Alert tcp any any -> any 514 (msg:”someone is printing”; classtype: 
bad_unknown; sid: 20099997; rev:1;)

4. Create an alert for any packet that attempts to CREATE an ssh connection.

Alert tcp any any -> any 22 (msg:”someone using ssh”; classtype:bad_unkown; 
sid: 20099996; rev:1;)

5. Create an alert for any packet whose contents contain the word "bard" 
(not case sensitive).

Alert tcp any any -> $HOME_NET any (msg:”Someone used the word bard in an 
email or other communications”; content: “bard”; nocase; 
flow:from_server,established; classtype:bad_unknown; sid:20099995; rev:1;)

6. Create an alert for any incoming packets on port 53 whose contents 
contains 'ucf.edu'.

alert tcp any 53 -> $HOME_NET (msg:”Someone using ucf.edu”; 
content:”ucf.edu” flow:from_server,established; sid:20099995; rev:1;


>From: Hugo van der Kooij <hvdkooij at ...481...>
>Reply-To: snort-sigs mailinglist <snort-sigs at lists.sourceforge.net>
>To: snort-sigs mailinglist <snort-sigs at lists.sourceforge.net>
>Subject: Re: [Snort-sigs] Alert rules
>Date: Sun, 12 Mar 2006 21:24:47 +0100 (CET)
>
>On Fri, 10 Mar 2006, Brian Caswell wrote:
>
> > Please do not write these rules for Frank.  Frank is trying to get
> > you to do his homework for him.  When he asked me for help earlier, I
> > pointed him at the manual.  He needs to learn, not cheat.
>
>Somehow the neat list of 10 did trigger some bells. Then there were some
>rules that did not make any sense for a real life network to finish it
>off.
>
>Hugo.
>
>--
>	I hate duplicates. Just reply to the relevant mailinglist.
>	hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
>		Don't meddle in the affairs of magicians,
>		for they are subtle and quick to anger.
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live 
>webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/





More information about the Snort-sigs mailing list