RE: ACID and Snort rules

["Briggs, Bruce" <Bruce.Briggs () suny edu>]

The Snort docs are always a good place to start especially the manual
and the FAQs.
Lots of details.
 
There is also the   nocase   keyword, which may be helpful to you.
 
In your Snort setup, make sure that this rule is included in your
snort.conf or a file which is in an    include   statement in your
snort.conf.
 
Your rule should work, assuming that packets with this payload are being
seen by Snort and you rule is in the snort.conf.
 
Bruce

  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort
Sent: Wednesday, September 21, 2005 12:02 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] ACID and Snort rules


I will like to make a rule for users accessing certian sites via their
log.  I am tasked to prove that users are authenticating into specific
sites.  I will like to get as specific as user name and password.  
 
I want to create rules based on payload data however i have not been
successfull
 an example.  I would like to trigger this rule to happen for any ip
address the sensor sees. Im going to change the content around to
something like passwd  etc etc.  I understand its case sensative when
searching the payload data. 
 
alert tcp any any -> 192.168.1.0/24 21 (content: "user root"; msg: "FTP
root login";) 

 
Can some one give me more examples of a snort rule  to accomplish this
task.  What would rules look like searching the payload data??    Where
do I put the rule and how do i have it both alert and log to the
database.
 
I been reading some fourms and they are helpful in talking about the
construction of a rule and its parts  and what each one means.  I can
use some help now   thank you