[Snort-sigs] Alert rules
sornatale at ...12...
Mon Mar 13 09:15:03 EST 2006
I worked on these rules and I was wondering if you could let me know what I
could be missing.
3. Create an alert for any outgoing packets that list the CUPS protocol.
Alert tcp any any -> any 514 (msg:someone is printing; classtype:
bad_unknown; sid: 20099997; rev:1;)
4. Create an alert for any packet that attempts to CREATE an ssh connection.
Alert tcp any any -> any 22 (msg:someone using ssh; classtype:bad_unkown;
sid: 20099996; rev:1;)
5. Create an alert for any packet whose contents contain the word "bard"
(not case sensitive).
Alert tcp any any -> $HOME_NET any (msg:Someone used the word bard in an
email or other communications; content: bard; nocase;
flow:from_server,established; classtype:bad_unknown; sid:20099995; rev:1;)
6. Create an alert for any incoming packets on port 53 whose contents
alert tcp any 53 -> $HOME_NET (msg:Someone using ucf.edu;
content:ucf.edu flow:from_server,established; sid:20099995; rev:1;
>From: Hugo van der Kooij <hvdkooij at ...481...>
>Reply-To: snort-sigs mailinglist <snort-sigs at lists.sourceforge.net>
>To: snort-sigs mailinglist <snort-sigs at lists.sourceforge.net>
>Subject: Re: [Snort-sigs] Alert rules
>Date: Sun, 12 Mar 2006 21:24:47 +0100 (CET)
>On Fri, 10 Mar 2006, Brian Caswell wrote:
> > Please do not write these rules for Frank. Frank is trying to get
> > you to do his homework for him. When he asked me for help earlier, I
> > pointed him at the manual. He needs to learn, not cheat.
>Somehow the neat list of 10 did trigger some bells. Then there were some
>rules that did not make any sense for a real life network to finish it
> I hate duplicates. Just reply to the relevant mailinglist.
> hvdkooij at ...481... http://hvdkooij.xs4all.nl/
> Don't meddle in the affairs of magicians,
> for they are subtle and quick to anger.
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live
>and join the prime developer group breaking into this new coding territory!
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
Dont just search. Find. Check out the new MSN Search!
More information about the Snort-sigs