Snort mailing list archives
RE: Test question
From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Mon, 17 Dec 2001 22:59:42 -0600
Hi Ryan, Thanks for the explanation. It was really helpful. I actually would like to create my custom rules but I don't know where to start. I really praise you guys coz you know how to read and understand packets. That's what I want to do also. Would you guys give me advises on where to start. Is there a book that I should buy aside from Steven's TCP/IP illustrated vol 1. I'm really impressed also to guys out there that is able to develop snort rules for a specific attack. How is that done? Share please. :-) For me, I really appreciate seeing stuff in rules like content:"|ffff ff2f 4249 4e2f 5348 00|". How the hell did that guy come up with this rule!?! :-) Thanks guys. This mailing list is really amazing. -----Original Message----- From: Ryan Hill [mailto:rhill () xypoint com] Sent: Monday, December 17, 2001 4:09 PM To: Ronneil Camara; Ryan Hill Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Test question Ronneil, If you don't change the rule processing order (snort -o), then AFAIK, the alert will trigger irregardless of the pass rule since alert rules will be processed first in the engine. Generally, if you've written any pass rules, you want to use snort -o to utilize them. The default option is not using them (probably for performance reasons - one can speculate). BTW: Good suggestions Phil. I'm getting double triggers as the messages pass over two sensors before reaching me... lol <snip false alarm generating sig here> Regards, Ryan Hill, MCSE IT Ninja Corporate Information Systems TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com <http://www.telecomsys.com/> v: 206.792.2276 - f: 206.792.2001 pgp: 0x17CE70AB -----Original Message----- From: Ronneil Camara [mailto:ronneilc () remingtonltd com] Sent: Monday, December 17, 2001 12:57 PM To: Ryan Hill Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Test question Thanks Ryan, I'll try that one. So if I didn't use -o, then the new rule must come before the alert, am I right? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Test question, (continued)
- Re: Test question James (Dec 16)
- Re: Test question Ralf Hildebrandt (Dec 17)
- Re: Test question Paul Cardon (Dec 16)
- RE: Test question Ronneil Camara (Dec 16)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question Erik Fichtner (Dec 17)
- RE: Test question Ronneil Camara (Dec 17)
- Re: Test question Phil Wood (Dec 17)
- RE: Test question Ryan Hill (Dec 17)
- Re: Test question George Patterson (Dec 18)
- RE: Test question Ronneil Camara (Dec 17)
- RE: Test question Ryan Russell (Dec 18)
- RE: Test question Jim Forster (Dec 18)
- RE: Test question Ryan Russell (Dec 18)