Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Create rule to alert on destination IP Address

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 1 Sep 2011 16:27:28 -0400
On Sep 1, 2011, at 4:00 PM, Mike Smith wrote:


Hello,
 
I trying to learn how I can create a rule or alert, using snort and base to let me know if workstation is trying to 
connect a specfic IP address.  This is a known malware server.


alert tcp $HOME_NET any -> 1.1.1.1 any (msg:"connection to ip 1.1.1.1 detected"; flow:to_server; flags:S+; sid:1;)

or something like that (insert your ip in 1.1.1.1)

http://manual.snort.org may help as well.

Joel


------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: