Custom rules

[Bryan Irvine <bryan.irvine () kingcountyjournal com>]

I'm a relative newb to snort.  I've been using it for awhile, and am
familiar with how it works, but now I'm moving to the next step.

CUSTOM RULES!!!

I'm trying to log all internet traffic (specifically web pages) from one
particular host on my network.

I've read the snort documentation with this as the sample rule.

alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|";
msg:"mountd access";)

I think I have an understanding of this, but what would I put in the
content section?  Does that even need to be there?

What if I just did this:

alert tcp any any -> 192.168.1.0/32 80 (content:""; msg:"Jill's
Activity";)

(names have been changed to protect the guilty) 

Or if I wanted to log all traffic, and not just port 80 can I remove the
"80" and it will start logging everything?  Or am I facing the wrong way
on the wrong track?

Google hasn't turned up any answers yet but I will keep looking.

--Bryan



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users