[Snort-users] ssnort

Christopher Cramer cec at ...68...
Wed Jul 26 14:18:07 EDT 2000


How about:

alert tcp any any -> 10.0.0.0/8 21 (content: "USER"; msg: "FTP connect";)

The 10.0.0.0/8 will listen to the class A network 10.x.x.x

Adding the content line will look for anyone sending a USER string to the
ftp server.

You previous rule just looked for packets going to that server, thus
multiple alerts.

-Chris

----------------------------------------------------------------------
Dr. Christopher E. Cramer
Associate in Research
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC  27708-0291
PH:  919-660-5248     FAX:  919-660-5293     email:  cec at ...68...


On Wed, 26 Jul 2000, PANIC! [FS] wrote:

> Hi,
> 
>   i am using snort 1.6.3 on a SUSE 6.4 box. I have 45 virtual ips on
>   my machine in different subnets
>   (10.0.1.75,10.0.2.75,...,10.0.45.75).
>   Now i want snort to listen with all rules on these ips. How can i
>   do that or have i to write 45 rules for each rule?
>   Another problem is that i want to log appents fast after each other
>   only ONE time.
>   For example:
>   alert tcp any any -> 10.0.3.75 21 (msg: "FTP connect";)
>   this makes on one connect of a FTP programm 4 alerts but i want only
>   1. How can i do this?
>   Ok thanks for all
> 
> CU
> Thomas                         mailto:panic. at ...158...
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 





More information about the Snort-users mailing list