Snort mailing list archives
RE: putting in the Snort rules and dump results in Syslogd
From: "Lee Clemens" <snort () leeclemens net>
Date: Tue, 15 Mar 2005 02:01:07 -0500
First add the rule to your local.rules file (in the directory where you other rules files are and as noted in your snort.conf file as RULE_PATH). With "alert" in front of the rule, it should be displayed in your Syslog (depending on the options you supplied when running or installing Snort), "log" would only add the packet to your log path. You'll want to give it a sid: value too, local rules start at 1000000, so if it's your first local rule, sid:1000000 should work just fine. Then restart Snort and it should be good. As far as testing it is concerned, the only way I know of is to generate that traffic over your network (probably temporarily changing $EXTERNAL_NET to $HOME_NET so it would still be valid). --Lee -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of mr leokenzie Sent: Tuesday, March 15, 2005 1:38 AM To: snort-users () lists sourceforge net Subject: [Snort-users] putting in the Snort rules and dump results in Syslogd Where do I put the Snort rules for example: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "DOS SMBdie attack"; flags: A+; content:"|57724c65680042313342577a|";) and check whether the SNORT rule is works? How can I set it up so that the results will be displayed in the Syslogd. Thanks _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- putting in the Snort rules and dump results in Syslogd mr leokenzie (Mar 14)
- RE: putting in the Snort rules and dump results in Syslogd Lee Clemens (Mar 14)