[Snort-users] Rules question

A.L.Lambert alambert at ...387...
Sun Oct 22 16:13:41 EDT 2000

> Can you use snort to say
>  anything other than
>  any any web
>  so you input what you expect, and detect the rest?
>  In addition to detecting attacks within what is allowed?
>  Thanks
>  Adrian

tcp !$HOME_NET any -> $HOME_NET :79 (msg: "TCP access attempt";)
tcp !$HOME_NET any -> $HOME_NET 81: (msg: "TCP access attempt";)
tcp !$HOME_NET any -> $HOME_NET any (msg: "UDP access attempt";)

	That'll pickup any UDP traffic at all, and TCP traffic from 0-79
and from 81-65535.

	You'll want to specify the !$HOME_NET -> $HOME_NET because other
wise the src ports will set off false alarms by the truckload.  (because
in a any any <> any any, your webserver will be sending requests to
clients on ports other than 80, thus setting off your snort if you don't
have $HOME_NET's specified as mentioned above).

	You'll probably generate a lot more alerts with the above examples
than you want too, but it'll give you someplace to start tweaking from.  

-- A.L.Lambert

More information about the Snort-users mailing list