Snort mailing list archives
Re: NEWBIE: rule writing walkthru?
From: "Keith W. McCammon" <mccammon () gmail com>
Date: Tue, 13 Jul 2004 10:11:18 -0400
I'm brand new to Snort. Know what it is capable of and want to play with it but I'm having trouble getting out of the blocks. I'm reading through the docs and it seems pretty straight forward but I would like to find a walkthru/tutorial or something like that for rule writing.
The documentation is a pretty good place to start. It's pretty standard stuff. If some condition exists, generate an alert or log (or don't). Start there, and work your way through things like the TCP flags, flows, and thresholding, which will reduce the noise generated by your more generic rules.
I'm wanting to use Snort as both an IDS AND a web usage monitor. I'm working with a state agency and money is...well...there is no money to spend on a Netappliance machine or something of that ilk. I was thinking that if Snort can detect intrusions it must also be able to do the web usage thing given the correct rule.
In theory, you could use it to monitor web traffic. You could start it in sniffer mode, with name resolution (al la tcpdump) and catch web traffic that way. Goes without saying that you'll need to use another tool to analyze the data, as you'll get a lot more than you probably want, if you just want to see who's going where and when. Alternatively, you could set up one of the open-source proxy systems, which is actually supposed to be used for something along these lines. This would preclude you from trying to tweak Snort into giving you something that it isn't "intended" to do (in quotes because, in theory, you can do damn near anything with it, provided that you understand what you're after very specifically). ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NEWBIE: rule writing walkthru? Wayne Fielder (Jul 13)
- Re: NEWBIE: rule writing walkthru? Keith W. McCammon (Jul 13)
- Re: NEWBIE: rule writing walkthru? Nerijus Krukauskas (Jul 13)
- Re: NEWBIE: rule writing walkthru? shashank . joshi (Jul 14)