[Snort-users] Custom rules

Schmehl, Paul L pauls at ...6838...
Tue Sep 2 11:43:03 EDT 2003


> -----Original Message-----
> From: Bryan Irvine [mailto:bryan.irvine at ...9066...] 
> Sent: Tuesday, September 02, 2003 12:02 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Custom rules
> 
> I think I have an understanding of this, but what would I put 
> in the content section?  Does that even need to be there?
>
That depends on what content you're looking for.
 
> What if I just did this:
> 
> alert tcp any any -> 192.168.1.0/32 80 (content:""; msg:"Jill's
> Activity";)
> 
If you want to see *all* traffic on port 80 on her machine, this would
work (remove the content part, you don't need it).  But if you're trying
to see all the websites she is going to, you've got port 80 on the wrong
side of the conversation.  You would want this instead:

alert tcp any 80 -> 192.168.1.0 any (msg: "Jill's Web Browsing
Activities";)
> 
> Or if I wanted to log all traffic, and not just port 80 can I 
> remove the "80" and it will start logging everything?

Yes.  Use "any" instead.  But be prepared for a *lot* of traffic.

If, for example, you wanted to see every packet that had Jill's name in
it:
alert ip any any -> any any (msg: "All traffic with Jill's name in it";
content: "Jill"; sid: 1000001; rev: 1;)

(You should always create sids for your custom rules, and they should
start at 1 million and 1.)  Revs are good to, if you think you'll be
changing the rule often.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 




More information about the Snort-users mailing list