[Snort-users] WRITE RULE ERROR

Al Lewis (allewi) allewi at cisco.com
Mon Oct 23 18:40:54 EDT 2017


It would help if you sent the pcap and point out what you are trying to detect.


Albert Lewis
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-users <snort-users-bounces at lists.snort.org<mailto:snort-users-bounces at lists.snort.org>> on behalf of nguyen cao via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Reply-To: nguyen cao <nguyenblack1995 at gmail.com<mailto:nguyenblack1995 at gmail.com>>
Date: Monday, October 23, 2017 at 10:43 AM
To: "snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>" <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Subject: [Snort-users] WRITE RULE ERROR

​​I write rule snort alert this type :alert any any -> any any (msg:"Test";ack:1;classtype:shellcode-detect;sid;1000001;rev:1;)
alert any any -> any any (msg:"test2";flags:S;flow:to_server,established;detecion_filter:track by_src, count: 5,sencond 5; classtype:shellcode-detect;sid:1000002;rev:1;)

But the 2 rules are not alert. People ask me how to write an alert rule with the above type?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171023/3fdd1638/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Untitled.png
Type: image/png
Size: 54344 bytes
Desc: Untitled.png
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171023/3fdd1638/attachment.png>

More information about the Snort-users mailing list