[Snort-users] Rule help

Joel Esler eslerj at ...11827...
Tue Dec 23 15:28:10 EST 2008


You can't use ports with the "ip" protocol.

You have to use tcp or udp.

J

On Dec 23, 2008, at 3:09 PM, Jefferson, Shawn allegedly wrote:

> Hi,
>
> My original rule worked out great, but I tried to create another  
> rule that alerts me on anything that went from the $HOME_NET to  
> $EXTERNAL_NET port 11830, and I obviously did something wrong, since  
> I got about 3 million alerts in 5 minutes… pretty much all traffic  
> going to the IDS sensor (which takes forever to delete via BASE!)
>
> Here’s what tried:
>
> alert ip $HOME_NET any -> $EXTERNAL_NET 11830 (msg:”port 11830  
> traffic outbound”; sid:1000002; rev:1;)
>
> Thanks,
> Shawn
>
> From: Jefferson, Shawn [mailto:Shawn.Jefferson at ...14448...]
> Sent: December 19, 2008 6:43 PM
> To: Snort-users at lists.sourceforge.net
> Subject: [Snort-users] Rule help
>
> Hi,
>
> I need to create a rule that alerts whenever a connection is made to  
> a specific IP address.  I’ve never created a rule before, and  
> unfortunately, I need this fairly quickly.  Can anyone help me out?
>
> Here’s what I have:
> alert tcp any any -> 146.155.47.250 any (msg:"VMWare Service  
> Infected"; sid:2000001; rev:1;)
>
> Am I missing anything necessary for the rule to work?
>
> Thanks,
> Shawn
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler
  http://www.joelesler.net
[m]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081223/9cb50a37/attachment.html>


More information about the Snort-users mailing list