Snort mailing list archives

RE: Test question

From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Mon, 17 Dec 2001 22:59:42 -0600

Hi Ryan,
 
Thanks for the explanation. It was really helpful. I actually would like
to create my custom rules but I don't know where to start.
I really praise you guys coz you know how to read and understand
packets. That's what I want to do also. Would you guys
give me advises on where to start. Is there a book that I should buy
aside from Steven's TCP/IP illustrated vol 1.
 
I'm really impressed also to guys out there that is able to develop
snort rules for a specific attack.
How is that done? Share please. :-)
 
For me, I really appreciate seeing stuff in rules like content:"|ffff
ff2f 4249 4e2f 5348 00|". How the hell did that guy come up
with this rule!?! :-)
 
Thanks guys. This mailing list is really amazing.

-----Original Message-----
From: Ryan Hill [mailto:rhill () xypoint com]
Sent: Monday, December 17, 2001 4:09 PM
To: Ronneil Camara; Ryan Hill
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Test question


Ronneil,
 
If you don't change the rule processing order (snort -o), then AFAIK,
the alert will trigger irregardless of the pass rule since alert rules
will be processed first in the engine.  Generally, if you've written any
pass rules, you want to use snort -o to utilize them.  The default
option is not using them (probably for performance reasons - one can
speculate).
 
BTW: Good suggestions Phil.  I'm getting double triggers as the messages
pass over two sensors before reaching me... lol
 
<snip false alarm generating sig here>
 
Regards,


Ryan Hill, MCSE
IT Ninja 
Corporate Information Systems 
TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com
<http://www.telecomsys.com/>  
v: 206.792.2276 - f: 206.792.2001 
pgp: 0x17CE70AB 

-----Original Message-----
From: Ronneil Camara [mailto:ronneilc () remingtonltd com] 
Sent: Monday, December 17, 2001 12:57 PM
To: Ryan Hill
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Test question


Thanks Ryan,
 
I'll try that one. So if I didn't use -o, then the new rule must come
before the alert, am I right?


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Test question, (continued)
- - - Re: Test question James (Dec 16)
    - Re: Test question Ralf Hildebrandt (Dec 17)
    - Re: Test question Paul Cardon (Dec 16)
- RE: Test question Ronneil Camara (Dec 16)
- RE: Test question Ryan Hill (Dec 17)
  - Re: Test question Erik Fichtner (Dec 17)
- RE: Test question Ronneil Camara (Dec 17)
  - Re: Test question Phil Wood (Dec 17)
- RE: Test question Ryan Hill (Dec 17)
  - Re: Test question George Patterson (Dec 18)
- RE: Test question Ronneil Camara (Dec 17)
  - RE: Test question Ryan Russell (Dec 18)
    - RE: Test question Jim Forster (Dec 18)