[Snort-sigs] Snort Rule Creation

Joel Esler (jesler) jesler at ...3865...
Tue Jan 31 18:09:25 EST 2017


Maybe something like:

alert tcp $SOURCEIP any -> ![destip1, destip2, destip3] any (msg:”Unauthorized TCP traffic initiated”; flags:S; sid:1000000; rev:1;)

?


--
Joel Esler | Talos: Manager | jesler at ...3865... <mailto:jesler at ...3865...>






> On Jan 31, 2017, at 5:33 PM, John G <drterdnugget at ...2420...> wrote:
> 
> Good Afternoon everyone,
> 
> My name is John and I am starting out with creating Snort rules.  I have experience using Snort with IDS's such as Sourcefire and Security Onion for incident response.  However, i don't have much experience creating custom rules.  Although i once created a rule during one of my security classes during my undergrad program lol  Anyway, i have been reading documentation for how to understand/create rules from a variety of sources.  But I wanted to reach out to you guys and see what information you can provide.
> 
> I have a device that is communicating with about 8 other devices.  I would like to write a rule that alerts if it detects any communication outside of those devices.
> 
> Is it possible to list multiple ip addresses within a rule and maybe use an is not "!=" attribute.
> 
> So something like: alert tcp != sourceip1  80 -> destip1, destip2, destip3, etc (msg:"Alert Message";)
> 
> I would appreciate any assistance and will continue to do my own research and see if i can figure it out on my own :)
> 
> Regards,
> John
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> http://www.snort.org
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170131/81bbbfb5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170131/81bbbfb5/attachment.sig>


More information about the Snort-sigs mailing list