[Snort-users] ACID and Snort rules
Bruce.Briggs at ...13183...
Tue Sep 20 08:19:33 EDT 2005
The Snort docs are always a good place to start especially the manual
and the FAQs.
Lots of details.
There is also the nocase keyword, which may be helpful to you.
In your Snort setup, make sure that this rule is included in your
snort.conf or a file which is in an include statement in your
Your rule should work, assuming that packets with this payload are being
seen by Snort and you rule is in the snort.conf.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of snort
Sent: Wednesday, September 21, 2005 12:02 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] ACID and Snort rules
I will like to make a rule for users accessing certian sites via their
log. I am tasked to prove that users are authenticating into specific
sites. I will like to get as specific as user name and password.
I want to create rules based on payload data however i have not been
an example. I would like to trigger this rule to happen for any ip
address the sensor sees. Im going to change the content around to
something like passwd etc etc. I understand its case sensative when
searching the payload data.
alert tcp any any -> 192.168.1.0/24 21 (content: "user root"; msg: "FTP
Can some one give me more examples of a snort rule to accomplish this
task. What would rules look like searching the payload data?? Where
do I put the rule and how do i have it both alert and log to the
I been reading some fourms and they are helpful in talking about the
construction of a rule and its parts and what each one means. I can
use some help now thank you
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users