[Snort-users] Rule help

Matt Olney molney at ...1935...
Fri Dec 19 23:32:42 EST 2008


You probably only want to alert once per connection attempt.  This
will alert against that IP address, only when you have the SYN flag is
set.

alert tcp any any -> 146.155.47.250 any (msg:"VMWare Service
Infected"; flags: s+; sid:2000001; rev:1;)

If you require detection on something other than TCP, you will want to
go with "ip" instead of "tcp", as Markus said, but you'll lose the
ability to make the flag check.  By the way I'm not at the office, but
I'm pretty sure the flags options is right.  Double check the
documentation.  For performance reasons, you might want to only fire
on select ports (such as those listening):

alert tcp $EXTERNAL_NET any -> 146.155.47.250 [25,80,110] (msg:"VMWare
Service Infected"; flags: s+; sid:2000001; rev: 1;)

Matt


On Fri, Dec 19, 2008 at 10:19 PM, Markus Lude <markus.lude at ...348...> wrote:
> On Fri, Dec 19, 2008 at 07:42:49PM -0700, Jefferson, Shawn wrote:
>> Hi,
>
> Hello,
>
>> I need to create a rule that alerts whenever a connection is made to a
>> specific IP address.  I've never created a rule before, and
>> unfortunately, I need this fairly quickly.  Can anyone help me out?
>>
>> Here's what I have:
>> alert tcp any any -> 146.155.47.250 any (msg:"VMWare Service Infected"; sid:2000001; rev:1;)
>
> You may want to use "ip" instead of "tcp" for the protocol.
>
> Regards,
> Markus
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list