Snort mailing list archives
Re: Rule help
From: Joel Esler <eslerj () gmail com>
Date: Tue, 23 Dec 2008 15:28:10 -0500
You can't use ports with the "ip" protocol. You have to use tcp or udp. J On Dec 23, 2008, at 3:09 PM, Jefferson, Shawn allegedly wrote:
Hi,My original rule worked out great, but I tried to create another rule that alerts me on anything that went from the $HOME_NET to $EXTERNAL_NET port 11830, and I obviously did something wrong, since I got about 3 million alerts in 5 minutes… pretty much all traffic going to the IDS sensor (which takes forever to delete via BASE!)Here’s what tried:alert ip $HOME_NET any -> $EXTERNAL_NET 11830 (msg:”port 11830 traffic outbound”; sid:1000002; rev:1;)Thanks, Shawn From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: December 19, 2008 6:43 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] Rule help Hi,I need to create a rule that alerts whenever a connection is made to a specific IP address. I’ve never created a rule before, and unfortunately, I need this fairly quickly. Can anyone help me out?Here’s what I have:alert tcp any any -> 146.155.47.250 any (msg:"VMWare Service Infected"; sid:2000001; rev:1;)Am I missing anything necessary for the rule to work? Thanks, Shawn ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler http://www.joelesler.net [m]
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule help Jefferson, Shawn (Dec 19)
- Re: Rule help Markus Lude (Dec 19)
- Re: Rule help Matt Olney (Dec 19)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Joel Esler (Dec 23)
- Re: Rule help Jack Pepper (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Jack Pepper (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Joel Esler (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Markus Lude (Dec 19)