[Snort-users] Rule help

Matt Olney molney at ...1935...
Fri Dec 19 23:32:42 EST 2008

You probably only want to alert once per connection attempt.  This
will alert against that IP address, only when you have the SYN flag is

alert tcp any any -> any (msg:"VMWare Service
Infected"; flags: s+; sid:2000001; rev:1;)

If you require detection on something other than TCP, you will want to
go with "ip" instead of "tcp", as Markus said, but you'll lose the
ability to make the flag check.  By the way I'm not at the office, but
I'm pretty sure the flags options is right.  Double check the
documentation.  For performance reasons, you might want to only fire
on select ports (such as those listening):

alert tcp $EXTERNAL_NET any -> [25,80,110] (msg:"VMWare
Service Infected"; flags: s+; sid:2000001; rev: 1;)


On Fri, Dec 19, 2008 at 10:19 PM, Markus Lude <markus.lude at ...348...> wrote:
> On Fri, Dec 19, 2008 at 07:42:49PM -0700, Jefferson, Shawn wrote:
>> Hi,
> Hello,
>> I need to create a rule that alerts whenever a connection is made to a
>> specific IP address.  I've never created a rule before, and
>> unfortunately, I need this fairly quickly.  Can anyone help me out?
>> Here's what I have:
>> alert tcp any any -> any (msg:"VMWare Service Infected"; sid:2000001; rev:1;)
> You may want to use "ip" instead of "tcp" for the protocol.
> Regards,
> Markus
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list