[Snort-users] Snort Rules Tool

roman at ...438... roman at ...438...
Tue Nov 21 22:34:15 EST 2000


I wrote the "snortrules" tool a while back.  Essentially you use nmap to
scan your network to identify which ports are open on the various hosts
that Snort will be watching.  In turn, snortrules uses this list to weed
out any rules that do not apply.  For example, if no web server running on
port 80 was found in the scan, any rules using this port will be removed.
It is a method to prevent obvious false positives.

Snortrules can be downloaded at:


                    <jess at ...521...>                                                                    
                    Sent by:                             To:     snort-users at lists.sourceforge.net         
                    snort-users-admin at ...635...        cc:                                               
                    eforge.net                           Subject:     [Snort-users] Snort Rules Tool       
                    11/21/00 06:34 PM                                                                      


           A few weeks ago at SANS, I was commenting to Marty the idea of
developing a tool which could automatically build 'ad hoc' rules for a
particular network (based on which ports are open for every particular
the OS, ...), and he told me that there were already people involved in
a project like that. I think he told me it was called "snort rules".

           If anyone listening is actually involved in it, could just
drop me an e-mail?



Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list