[Snort-users] newbie-writing rules help

McCammon, Keith Keith.McCammon at ...3497...
Mon Jul 22 13:52:04 EDT 2002


> For example only traffic from the outside going to
> port :80,23,8000,8001,8002 and a few more are allowed.
> How must I define this;
> I thought of:
> alert tcp any anu -> any 1[80,23,8000,8001,8002]
> (msg:"Er";)

I'm a little unclear as to what you're trying to accomplish.  Before we even get to rules syntax:

1) If these services are allowed, why does it appear that you're trying to generate alerts every time someone accesses them?  That is not intrusion detection, that is accounting (in which case Snort is the wrong tool).

2) Assuming that your alert rule was a simple mistake, what is it that you wish to do?  Do you want to

- Generate alerts when a service *other* than those listed is accessed?
- Simply inspect the traffic for these services using default rules?
- Perform some kind of (very odd) accounting using Snort?

Just a little more information and we'll get you started down the right path!  Please include your Snort version as well (just to make sure you're current)...

Cheers

Keith




More information about the Snort-users mailing list