[Snort-sigs] New to writing Snort Rules. Help writing a rule?

Joel Esler jesler at ...435...
Sun May 20 11:29:34 EDT 2012


Whitelisting (at this time) means "don't blacklist". So it's not an ignore per say. This changes in 2.9.3. 

-- 
Joel Esler

On May 19, 2012, at 7:30 AM, evejou <girl at ...3471...> wrote:

> Hi Tyler,
> 
> I think what you're looking for is how to whitelist IPs:
> http://manual.snort.org/node17.html#SECTION003219000000000000000
> 
> According to this entry here, you really don't want to use signatures to white/blacklist stuff:
> http://vrt-blog.snort.org/2012/04/snort-performance-and-ip-only-rules.html
> 
> 
> -evejou
> 
> 
> 
> 
> 
> 
> On Fri, May 18, 2012 at 4:18 PM, Tyler MacPherson <tah338 at ...3678...> wrote:
> Hi,
> 
> I recently put Snort on a system for my work. I'm trying to configure it
> by writing certain rules, but since I'm brand new to Snort, I'm having
> some trouble figuring out how to write these rules. Basically, the
> system I'm deploying Snort on should only be receiving traffic through
> two avenues: a MySQL database and Oracle database that are linked to it.
> Everything else should be picked up Snort as potentially being bad. What
> I'm wondering is, how would I go about writing rules that would achieve
> this goal?
> 
> Thank you.
> 
> --
> Tyler MacPherson
> Student Operator
> UNH Research Computing Center
> (603) 862-4518
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> 
> 
> -- 
> "We who cut mere stones must always be envisioning cathedrals." -- Quarry worker's creed.
> (The Pragmatic Programmer, by Andrew Hunt and David Thomas.)
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120520/fdc6fcf9/attachment.html>


More information about the Snort-sigs mailing list