![snort logo](/images/snort-logo.png)
Snort mailing list archives
RE: ACID and Snort rules
From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Tue, 20 Sep 2005 11:17:16 -0400
The Snort docs are always a good place to start especially the manual and the FAQs. Lots of details. There is also the nocase keyword, which may be helpful to you. In your Snort setup, make sure that this rule is included in your snort.conf or a file which is in an include statement in your snort.conf. Your rule should work, assuming that packets with this payload are being seen by Snort and you rule is in the snort.conf. Bruce _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort Sent: Wednesday, September 21, 2005 12:02 AM To: snort-users () lists sourceforge net Subject: [Snort-users] ACID and Snort rules I will like to make a rule for users accessing certian sites via their log. I am tasked to prove that users are authenticating into specific sites. I will like to get as specific as user name and password. I want to create rules based on payload data however i have not been successfull an example. I would like to trigger this rule to happen for any ip address the sensor sees. Im going to change the content around to something like passwd etc etc. I understand its case sensative when searching the payload data. alert tcp any any -> 192.168.1.0/24 21 (content: "user root"; msg: "FTP root login";) Can some one give me more examples of a snort rule to accomplish this task. What would rules look like searching the payload data?? Where do I put the rule and how do i have it both alert and log to the database. I been reading some fourms and they are helpful in talking about the construction of a rule and its parts and what each one means. I can use some help now thank you
Current thread:
- ACID and Snort rules snort (Sep 19)
- <Possible follow-ups>
- RE: ACID and Snort rules Briggs, Bruce (Sep 20)