Snort mailing list archives
Re: Rule help
From: "Matt Olney" <molney () sourcefire com>
Date: Fri, 19 Dec 2008 23:32:42 -0500
You probably only want to alert once per connection attempt. This will alert against that IP address, only when you have the SYN flag is set. alert tcp any any -> 146.155.47.250 any (msg:"VMWare Service Infected"; flags: s+; sid:2000001; rev:1;) If you require detection on something other than TCP, you will want to go with "ip" instead of "tcp", as Markus said, but you'll lose the ability to make the flag check. By the way I'm not at the office, but I'm pretty sure the flags options is right. Double check the documentation. For performance reasons, you might want to only fire on select ports (such as those listening): alert tcp $EXTERNAL_NET any -> 146.155.47.250 [25,80,110] (msg:"VMWare Service Infected"; flags: s+; sid:2000001; rev: 1;) Matt On Fri, Dec 19, 2008 at 10:19 PM, Markus Lude <markus.lude () gmx de> wrote:
On Fri, Dec 19, 2008 at 07:42:49PM -0700, Jefferson, Shawn wrote:Hi,Hello,I need to create a rule that alerts whenever a connection is made to a specific IP address. I've never created a rule before, and unfortunately, I need this fairly quickly. Can anyone help me out? Here's what I have: alert tcp any any -> 146.155.47.250 any (msg:"VMWare Service Infected"; sid:2000001; rev:1;)You may want to use "ip" instead of "tcp" for the protocol. Regards, Markus ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule help Jefferson, Shawn (Dec 19)
- Re: Rule help Markus Lude (Dec 19)
- Re: Rule help Matt Olney (Dec 19)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Joel Esler (Dec 23)
- Re: Rule help Jack Pepper (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Jack Pepper (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Joel Esler (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Markus Lude (Dec 19)