[Snort-sigs] New to writing Snort Rules. Help writing a rule?

evejou girl at ...3471...
Sat May 19 07:30:28 EDT 2012

Hi Tyler,

I think what you're looking for is how to whitelist IPs:

According to this entry here, you really don't want to use signatures to
white/blacklist stuff:


On Fri, May 18, 2012 at 4:18 PM, Tyler MacPherson <tah338 at ...3678...> wrote:

> Hi,
> I recently put Snort on a system for my work. I'm trying to configure it
> by writing certain rules, but since I'm brand new to Snort, I'm having
> some trouble figuring out how to write these rules. Basically, the
> system I'm deploying Snort on should only be receiving traffic through
> two avenues: a MySQL database and Oracle database that are linked to it.
> Everything else should be picked up Snort as potentially being bad. What
> I'm wondering is, how would I go about writing rules that would achieve
> this goal?
> Thank you.
> --
> Tyler MacPherson
> Student Operator
> UNH Research Computing Center
> (603) 862-4518
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

"We who cut mere stones must always be envisioning cathedrals." -- Quarry
worker's creed.
(The Pragmatic Programmer, by Andrew Hunt and David Thomas.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120519/ed29f559/attachment.html>

More information about the Snort-sigs mailing list