Re: Rule help

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Hi,

My original rule worked out great, but I tried to create another rule that alerts me on anything that went from the 
$HOME_NET to $EXTERNAL_NET port 11830, and I obviously did something wrong, since I got about 3 million alerts in 5 
minutes... pretty much all traffic going to the IDS sensor (which takes forever to delete via BASE!)

Here's what tried:

alert ip $HOME_NET any -> $EXTERNAL_NET 11830 (msg:"port 11830 traffic outbound"; sid:1000002; rev:1;)

Thanks,
Shawn

________________________________
From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com]
Sent: December 19, 2008 6:43 PM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Rule help

Hi,

I need to create a rule that alerts whenever a connection is made to a specific IP address.  I've never created a rule 
before, and unfortunately, I need this fairly quickly.  Can anyone help me out?

Here's what I have:
alert tcp any any -> 146.155.47.250 any (msg:"VMWare Service Infected"; sid:2000001; rev:1;)

Am I missing anything necessary for the rule to work?

Thanks,
Shawn


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users