RE: writing snort rules

[tyler () ibill com]

umm...
 
what do you want this rule to DO?
 
alert ip $HOME_NET any -> any any (msg: "foo";)
 
tf.

-----Original Message-----
From: Peter.VE () pandora be [mailto:Peter.VE () pandora be]
Sent: Tuesday, February 26, 2002 3:19 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] writing snort rules



Hi all,
 
After 4 months of testing snort (with success), I want to start writing my
own snort rules.
Are there any faq's out there ? tips&tricks ?
 
for example :
how can I detect any type of traffic (tcp or udp, on all ports), from the
inside (so from $HOME_NET), to a given IP on the internet (to any) ?
THis seems like an easy rule to write, but it doesn't work...
 
a little bit of help is greatly appreciated
 
thanks
 
 
 
_______________________________________________ Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL to change user options or
unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at postmaster () ibill com.
**********************************************************************