PS: [Snort-users] Snort Newbie

Jason Withrow jwithrow at ...422...
Sat Sep 15 23:49:01 EDT 2001

Ok, I think that is the problem, I need to define the IP's as External
and Internal.
I am guessing (Don't laugh, I am pretty new at this) that the $EXTERNAL
var should be my global internet NIC IP and $INTERNAL should be my
intranet 192.168.x.x NIC?
Also, how does one make any sense out of the packets? This looks pretty
Greek to me.
[**] IDS552/web-iis_IIS ISAPI Overflow ida [**]
09/16-02:55:00.611575 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800
len:0x5EA -> TCP TTL:124 TOS:0x0 ID:51642 IpLen:20
DgmLen:1500 DF
***A**** Seq: 0xF79A6595  Ack: 0xF0C2A391  Win: 0x4470  TcpLen: 20
- J
-----Original Message-----
From: snort-users-admin at
[mailto:snort-users-admin at] On Behalf Of Jason
Sent: Sunday, September 16, 2001 2:52 AM
To: snort-users at
Subject: [Snort-users] Snort Newbie
Hi,  I just installed the 1.8 win32 build of Snort on a win2k Server.
I have having a difficult time getting the rule sets to work.
I think, that I don't have the rules set up properly. 
Do I need to define $INTERNAL and $EXTERNAL as ip/ports somewhere?
This is just for my home box.
Here is the sample rule I am trying to get to work.
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS552/web-iis_IIS ISAPI
Overflow ida"; dsize: >239; flags: A+; uricontent: ".ida?"; classtype:
system-or-info-attempt; reference: arachnids,552;)
Thanks for any help, it is greatly appreciated.
- Jwatch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Snort-users mailing list