[Snort-users] Help would be appreciated!

Nicholas Mavis (nmavis) nmavis at ...589...
Thu Jun 12 14:29:57 EDT 2014


Charlie,

We need data in order to help ascertain the root cause of your issue. Please provide the following:

  *   The rule
  *   Pcap of the traffic that should be alerting
  *   Snort.conf file

Nick

From: Charlie Egan <chas5873 at ...11827...<mailto:chas5873 at ...11827...>>
Date: Thursday, June 12, 2014 at 2:02 PM
To: "snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>" <snort-users at lists.sourceforge.net<mailto:snort-users at ...2987...rge.net>>
Subject: [Snort-users] Help would be appreciated!

Hi guys,

I've been playing around with Snort for a while now as a little project of mine, and I'm doing my best to get the hang of writing rules for it. I'm becoming more familiar with how signatures are made, and I'd like to begin writing rules which aren't currently detected by Snort, even if they're fairly simple ones.

Currently I'm using Snort as a sniffer on a Kali Linux VM, metasploit on another Kali Linux VM, and Windows 2000 & XP as victim machines. I've been looking for exploits on sites such as exploit db and 1337day, and I'm trying to start with plain text protocols such as FTP and HTTP to make writing the rules slightly easier for me (using basic regular expressions and such).

If anybody could help me out it would be much appreciated, I've been trying to get my head around writing a rule that's not currently detected for a while now, and I'm not having much luck.

I'm not familiar with how these mailing lists work as well, so apologies if this isn't the sort of thing I should be posting - I've looked quite thoroughly for forums dedicated to Snort, and was hoping to find some good ones, especially with sections for beginners, although haven't had any luck as of yet.

Thanks for any help,

Charlie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140612/66b55bdc/attachment.html>


More information about the Snort-users mailing list