[Snort-users] Rule help

Jefferson, Shawn Shawn.Jefferson at ...14448...
Tue Dec 23 15:09:08 EST 2008


My original rule worked out great, but I tried to create another rule that alerts me on anything that went from the $HOME_NET to $EXTERNAL_NET port 11830, and I obviously did something wrong, since I got about 3 million alerts in 5 minutes... pretty much all traffic going to the IDS sensor (which takes forever to delete via BASE!)

Here's what tried:

alert ip $HOME_NET any -> $EXTERNAL_NET 11830 (msg:"port 11830 traffic outbound"; sid:1000002; rev:1;)


From: Jefferson, Shawn [mailto:Shawn.Jefferson at ...14448...]
Sent: December 19, 2008 6:43 PM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Rule help


I need to create a rule that alerts whenever a connection is made to a specific IP address.  I've never created a rule before, and unfortunately, I need this fairly quickly.  Can anyone help me out?

Here's what I have:
alert tcp any any -> any (msg:"VMWare Service Infected"; sid:2000001; rev:1;)

Am I missing anything necessary for the rule to work?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081223/68e63061/attachment.html>

More information about the Snort-users mailing list