[Snort-users] writing snort rules

Bryce Stenberg bryce at ...5010...
Tue Feb 26 13:49:12 EST 2002


Hi Peter,

I've just been through the same thing.  I'm using Windows NT. When I
downloaded the file "Snort-1.8.3b92-Win32-Static.zip" from  Silicon Defence
site it had two useful files - 'SnortUsersManual.pdf' which has a large
section on writing rules, and 'RULES.SAMPLE' which like it sounds has lots
of sample rules which are also very useful for understanding. I presume
other downloads have similar?  

Regards,
  Bryce Stenberg.
     Harness Racing New Zealand computer department,
     emailto:bryce at ...5010...
 
> From: Peter.VE at ...1187...
> To: <snort-users at lists.sourceforge.net>
> Date: Tue, 26 Feb 2002 21:19:21 +0100
> Subject: [Snort-users] writing snort rules
> 
> <FONT face=3D"Default Sans Serif, Verdana, Arial, Helvetica, 
> sans-serif" si=
> ze=3D2><DIV><DIV>Hi all,</DIV><DIV> </DIV><DIV>After 4 
> months of testi=
> ng snort (with success), I want to start writing my own snort 
> rules.</DIV><=
> DIV>Are there any faq's out there ? tips&tricks 
> ?</DIV><DIV> </DIV=
> ><DIV>for example :</DIV><DIV>how can I detect any type of 
> traffic (tcp or =
> udp, on all ports), from the inside (so from $HOME=5FNET), to 
> a given IP on=
>  the internet (to any) ?</DIV><DIV>THis seems like an easy 
> rule to write, b=
> ut it doesn't work...</DIV><DIV> </DIV><DIV>a little bit 
> of help is gr=
> eatly 
> appreciated</DIV><DIV> </DIV><DIV>thanks</DIV><DIV> </DIV><=
> DIV> </DIV><DIV> </DIV></DIV></FONT>=
> 
> 


CAUTION: This email message and accompanying data may contain information
that is confidential and subject to legal privilege. If you are not the
intended recipient you are notified that any use, dissemination,
distribution or copying of this message or data is prohibited. If you have
received this email message in error please notify us immediately and erase
all copies of the message and attachments.
 ALSO, unless expressly stated otherwise, the contents of this message
represent only the views of the sender as expressed only to the intended
recipient, do not commit Harness Racing New Zealand (HRNZ) to any course of
action and are not intended to impose any legal obligation upon HRNZ.






More information about the Snort-users mailing list