Re: Help would be appreciated!

[James Lay <jlay () slave-tothe-box net>]

On Thu, 2014-06-12 at 20:25 +0000, Nicholas Mavis (nmavis) wrote:
> Charlie,
>
>
> Not a problem, however please keep all discussion on the list rather
> than direct e-mails.
>
>
> You can write rules for anything. The packet does not necessarily have
> to be malicious in order to work your ability to write rules. Another
> good option would be to write rules for metasploit modules.
>
>
> Nick
>
>
> From: Charlie Egan <chas5873 () gmail com>
> Date: Thursday, June 12, 2014 at 2:02 PM
> To: "snort-users () lists sourceforge net"
> <snort-users () lists sourceforge net>
> Subject: [Snort-users] Help would be appreciated!
>
>
>
> Hi guys, 
>
> I've been playing around with Snort for a while now as a little
> project of mine, and I'm doing my best to get the hang of writing
> rules for it. I'm becoming more familiar with how signatures are made,
> and I'd like to begin writing rules which aren't currently detected by
> Snort, even if they're fairly simple ones.
>
>
>
> Currently I'm using Snort as a sniffer on a Kali Linux VM, metasploit
> on another Kali Linux VM, and Windows 2000 & XP as victim machines.
> I've been looking for exploits on sites such as exploit db and
> 1337day, and I'm trying to start with plain text protocols such as FTP
> and HTTP to make writing the rules slightly easier for me (using basic
> regular expressions and such). 
>
>
>
> If anybody could help me out it would be much appreciated, I've been
> trying to get my head around writing a rule that's not currently
> detected for a while now, and I'm not having much luck. 
>
>
>
> I'm not familiar with how these mailing lists work as well, so
> apologies if this isn't the sort of thing I should be posting - I've
> looked quite thoroughly for forums dedicated to Snort, and was hoping
> to find some good ones, especially with sections for beginners,
> although haven't had any luck as of yet. 
>
>
>
> Thanks for any help,
>
>
>
> Charlie
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


Also, the snort-sigs list is good for rule chit chat as well, but I
don't think anyone's been chastised for posted sig related stuff on this
list.

James

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!