[Snort-sigs] New to writing Snort Rules. Help writing a rule?

evejou girl at ...3471...
Sat May 19 07:30:28 EDT 2012


Hi Tyler,

I think what you're looking for is how to whitelist IPs:
http://manual.snort.org/node17.html#SECTION003219000000000000000

According to this entry here, you really don't want to use signatures to
white/blacklist stuff:
http://vrt-blog.snort.org/2012/04/snort-performance-and-ip-only-rules.html


-evejou






On Fri, May 18, 2012 at 4:18 PM, Tyler MacPherson <tah338 at ...3678...> wrote:

> Hi,
>
> I recently put Snort on a system for my work. I'm trying to configure it
> by writing certain rules, but since I'm brand new to Snort, I'm having
> some trouble figuring out how to write these rules. Basically, the
> system I'm deploying Snort on should only be receiving traffic through
> two avenues: a MySQL database and Oracle database that are linked to it.
> Everything else should be picked up Snort as potentially being bad. What
> I'm wondering is, how would I go about writing rules that would achieve
> this goal?
>
> Thank you.
>
> --
> Tyler MacPherson
> Student Operator
> UNH Research Computing Center
> (603) 862-4518
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
"We who cut mere stones must always be envisioning cathedrals." -- Quarry
worker's creed.
(The Pragmatic Programmer, by Andrew Hunt and David Thomas.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120519/ed29f559/attachment.html>


More information about the Snort-sigs mailing list