Snort mailing list archives
RE: Custom rules
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Tue, 2 Sep 2003 13:41:27 -0500
-----Original Message----- From: Bryan Irvine [mailto:bryan.irvine () kingcountyjournal com] Sent: Tuesday, September 02, 2003 12:02 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Custom rules I think I have an understanding of this, but what would I put in the content section? Does that even need to be there?
That depends on what content you're looking for.
What if I just did this: alert tcp any any -> 192.168.1.0/32 80 (content:""; msg:"Jill's Activity";)
If you want to see *all* traffic on port 80 on her machine, this would work (remove the content part, you don't need it). But if you're trying to see all the websites she is going to, you've got port 80 on the wrong side of the conversation. You would want this instead: alert tcp any 80 -> 192.168.1.0 any (msg: "Jill's Web Browsing Activities";)
Or if I wanted to log all traffic, and not just port 80 can I remove the "80" and it will start logging everything?
Yes. Use "any" instead. But be prepared for a *lot* of traffic. If, for example, you wanted to see every packet that had Jill's name in it: alert ip any any -> any any (msg: "All traffic with Jill's name in it"; content: "Jill"; sid: 1000001; rev: 1;) (You should always create sids for your custom rules, and they should start at 1 million and 1.) Revs are good to, if you think you'll be changing the rule often. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Custom rules Bryan Irvine (Sep 02)
- <Possible follow-ups>
- RE: Custom rules Schmehl, Paul L (Sep 02)