Snort mailing list archives
Custom rules
From: Bryan Irvine <bryan.irvine () kingcountyjournal com>
Date: 02 Sep 2003 10:02:17 -0700
I'm a relative newb to snort. I've been using it for awhile, and am familiar with how it works, but now I'm moving to the next step. CUSTOM RULES!!! I'm trying to log all internet traffic (specifically web pages) from one particular host on my network. I've read the snort documentation with this as the sample rule. alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";) I think I have an understanding of this, but what would I put in the content section? Does that even need to be there? What if I just did this: alert tcp any any -> 192.168.1.0/32 80 (content:""; msg:"Jill's Activity";) (names have been changed to protect the guilty) Or if I wanted to log all traffic, and not just port 80 can I remove the "80" and it will start logging everything? Or am I facing the wrong way on the wrong track? Google hasn't turned up any answers yet but I will keep looking. --Bryan ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Custom rules Bryan Irvine (Sep 02)
- <Possible follow-ups>
- RE: Custom rules Schmehl, Paul L (Sep 02)