[Snort-users] Custom rules

Bryan Irvine bryan.irvine at ...9066...
Tue Sep 2 09:55:11 EDT 2003


I'm a relative newb to snort.  I've been using it for awhile, and am
familiar with how it works, but now I'm moving to the next step.

CUSTOM RULES!!!

I'm trying to log all internet traffic (specifically web pages) from one
particular host on my network.

I've read the snort documentation with this as the sample rule.

alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|";
msg:"mountd access";)

I think I have an understanding of this, but what would I put in the
content section?  Does that even need to be there?

What if I just did this:

alert tcp any any -> 192.168.1.0/32 80 (content:""; msg:"Jill's
Activity";)

(names have been changed to protect the guilty) 

Or if I wanted to log all traffic, and not just port 80 can I remove the
"80" and it will start logging everything?  Or am I facing the wrong way
on the wrong track?

Google hasn't turned up any answers yet but I will keep looking.

--Bryan





More information about the Snort-users mailing list