Snort mailing list archives
RE: writing snort rules
From: Bryce Stenberg <bryce () hrnz co nz>
Date: Wed, 27 Feb 2002 10:40:26 +1300
Hi Peter,
I've just been through the same thing. I'm using Windows NT. When I
downloaded the file "Snort-1.8.3b92-Win32-Static.zip" from Silicon Defence
site it had two useful files - 'SnortUsersManual.pdf' which has a large
section on writing rules, and 'RULES.SAMPLE' which like it sounds has lots
of sample rules which are also very useful for understanding. I presume
other downloads have similar?
Regards,
Bryce Stenberg.
Harness Racing New Zealand computer department,
emailto:bryce () hrnz co nz
From: Peter.VE () pandora be To: <snort-users () lists sourceforge net> Date: Tue, 26 Feb 2002 21:19:21 +0100 Subject: [Snort-users] writing snort rules <FONT face=3D"Default Sans Serif, Verdana, Arial, Helvetica, sans-serif" si= ze=3D2><DIV><DIV>Hi all,</DIV><DIV> </DIV><DIV>After 4 months of testi= ng snort (with success), I want to start writing my own snort rules.</DIV><= DIV>Are there any faq's out there ? tips&tricks ?</DIV><DIV> </DIV=<DIV>for example :</DIV><DIV>how can I detect any type oftraffic (tcp or = udp, on all ports), from the inside (so from $HOME=5FNET), to a given IP on= the internet (to any) ?</DIV><DIV>THis seems like an easy rule to write, b= ut it doesn't work...</DIV><DIV> </DIV><DIV>a little bit of help is gr= eatly appreciated</DIV><DIV> </DIV><DIV>thanks</DIV><DIV> </DIV><= DIV> </DIV><DIV> </DIV></DIV></FONT>=
CAUTION: This email message and accompanying data may contain information that is confidential and subject to legal privilege. If you are not the intended recipient you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. ALSO, unless expressly stated otherwise, the contents of this message represent only the views of the sender as expressed only to the intended recipient, do not commit Harness Racing New Zealand (HRNZ) to any course of action and are not intended to impose any legal obligation upon HRNZ. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Filter SYN ACK, (continued)
- Filter SYN ACK Warrick FitzGerald (Jan 29)
- Re: Filter SYN ACK Matt Kettler (Jan 30)
- Re: writing snort rules Martin Roesch (Jan 29)
- Re: writing snort rules Ian Masters (Jan 29)
- Re: writing snort rules Ian Masters (Jan 29)
- writing snort rules Peter . VE (Feb 26)
- RE: writing snort rules Peter . VE (Feb 26)
- RE: writing snort rules McCammon, Keith (Feb 26)
- Re: writing snort rules Peter . VE (Feb 26)
- RE: writing snort rules tyler (Feb 26)
- RE: writing snort rules Bryce Stenberg (Feb 26)
- RE: writing snort rules Peter . VE (Feb 27)
- Filter SYN ACK Warrick FitzGerald (Jan 29)