[Snort-users] Rule help
Shawn.Jefferson at ...14448...
Tue Dec 23 15:09:08 EST 2008
My original rule worked out great, but I tried to create another rule that alerts me on anything that went from the $HOME_NET to $EXTERNAL_NET port 11830, and I obviously did something wrong, since I got about 3 million alerts in 5 minutes... pretty much all traffic going to the IDS sensor (which takes forever to delete via BASE!)
Here's what tried:
alert ip $HOME_NET any -> $EXTERNAL_NET 11830 (msg:"port 11830 traffic outbound"; sid:1000002; rev:1;)
From: Jefferson, Shawn [mailto:Shawn.Jefferson at ...14448...]
Sent: December 19, 2008 6:43 PM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Rule help
I need to create a rule that alerts whenever a connection is made to a specific IP address. I've never created a rule before, and unfortunately, I need this fairly quickly. Can anyone help me out?
Here's what I have:
alert tcp any any -> 188.8.131.52 any (msg:"VMWare Service Infected"; sid:2000001; rev:1;)
Am I missing anything necessary for the rule to work?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users