[Snort-users] Rules question
alambert at ...387...
Sun Oct 22 16:13:41 EDT 2000
> Can you use snort to say
> anything other than
> any any web
> so you input what you expect, and detect the rest?
> In addition to detecting attacks within what is allowed?
tcp !$HOME_NET any -> $HOME_NET :79 (msg: "TCP access attempt";)
tcp !$HOME_NET any -> $HOME_NET 81: (msg: "TCP access attempt";)
tcp !$HOME_NET any -> $HOME_NET any (msg: "UDP access attempt";)
That'll pickup any UDP traffic at all, and TCP traffic from 0-79
and from 81-65535.
You'll want to specify the !$HOME_NET -> $HOME_NET because other
wise the src ports will set off false alarms by the truckload. (because
in a any any <> any any, your webserver will be sending requests to
clients on ports other than 80, thus setting off your snort if you don't
have $HOME_NET's specified as mentioned above).
You'll probably generate a lot more alerts with the above examples
than you want too, but it'll give you someplace to start tweaking from.
More information about the Snort-users