Snort mailing list archives

Re: Rule help

From: "Matt Olney" <molney () sourcefire com>
Date: Fri, 19 Dec 2008 23:32:42 -0500

You probably only want to alert once per connection attempt.  This
will alert against that IP address, only when you have the SYN flag is
set.

alert tcp any any -> 146.155.47.250 any (msg:"VMWare Service
Infected"; flags: s+; sid:2000001; rev:1;)

If you require detection on something other than TCP, you will want to
go with "ip" instead of "tcp", as Markus said, but you'll lose the
ability to make the flag check.  By the way I'm not at the office, but
I'm pretty sure the flags options is right.  Double check the
documentation.  For performance reasons, you might want to only fire
on select ports (such as those listening):

alert tcp $EXTERNAL_NET any -> 146.155.47.250 [25,80,110] (msg:"VMWare
Service Infected"; flags: s+; sid:2000001; rev: 1;)

Matt


On Fri, Dec 19, 2008 at 10:19 PM, Markus Lude <markus.lude () gmx de> wrote:

On Fri, Dec 19, 2008 at 07:42:49PM -0700, Jefferson, Shawn wrote:

Hi,


Hello,

I need to create a rule that alerts whenever a connection is made to a
specific IP address.  I've never created a rule before, and
unfortunately, I need this fairly quickly.  Can anyone help me out?

Here's what I have:
alert tcp any any -> 146.155.47.250 any (msg:"VMWare Service Infected"; sid:2000001; rev:1;)


You may want to use "ip" instead of "tcp" for the protocol.

Regards,
Markus


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule help Jefferson, Shawn (Dec 19)
- Re: Rule help Markus Lude (Dec 19)
  - Re: Rule help Matt Olney (Dec 19)
- Re: Rule help Jefferson, Shawn (Dec 23)
  - Re: Rule help Joel Esler (Dec 23)
  - Re: Rule help Jack Pepper (Dec 23)
    - Re: Rule help Jefferson, Shawn (Dec 23)
    - Re: Rule help Jack Pepper (Dec 23)
    - Re: Rule help Jefferson, Shawn (Dec 23)
    - Re: Rule help Joel Esler (Dec 23)
    - Re: Rule help Jefferson, Shawn (Dec 23)