Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort rule assistance/need help have to complete in short notice by next week

From: Real Gamerholic via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 28 May 2021 07:35:23 -0400
[image: image.png]
1. I want to catch internal DNS requests (requests smaller than 512 bytes)
originating from any internal IP address. What will I put in the blanks to
complete the Snort rule? Have to be as specific as possible (use "any"
sparingly, if at all).

alert <blank 1> 192.168.8.1/<blank 2> <blank 3> -> <blank 4> <blank 5>
(msg:"DNS request detected!"; sid:1;)

2. John doe remotely compromised the Active Directory server on the
network. He/she is attempting to port scan the DNS server with nmap’s -sT
option to discover an SSH service. What Snort rule will detect John Doe
malicious activity (this instance). Have to be as specific as possible (use
"any" sparingly, if at all).

alert <blank 1> <blank 2> <blank 3> -> <blank 4> <blank 5> (msg:”SSH
activity detected!"; sid:2;)


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: