Snort mailing list archives
Re: Snort Rule Format Example
From: Martin Holste <mcholste () gmail com>
Date: Wed, 12 Oct 2011 21:52:14 -0500
It's from this master's thesis: ntnu.diva-portal.org/smash/get/diva2:348376/FULLTEXT01 . Motahareh, you need to read the Snort docs on www.snort.org, specifically the rule writing section, and you'll get it right away. On Wed, Oct 12, 2011 at 8:56 PM, JJ Cummings <cummingsj () gmail com> wrote:
Smells kinda like a school assignment... Sent from the iRoad On Oct 12, 2011, at 19:49, Joel Esler <jesler () sourcefire com> wrote:That's a Snort rule in its most basic form. Unfortunately, if it fires, you'll never know, as it doesn't have a message. In fact, Snort won't even let you put this rule into the ruleset as it has no Sid. This rule is basically looking for a whole header to this particular http connection. I don't think this rule will fire. And if it does, as I said, you'd never know. -- Joel Esler On Oct 12, 2011, at 4:17 PM, motahareh dehghan chachkamy <motahareh16121 () gmail com> wrote:Hi every body I have a question about this: F.2.4 Lookfreebies alert tcp 61.0.0.0/8 any -> 129.241.196.0/24 80 (content: "GET http://lookfr eebies.com/prx1.php HTTP/1.0|0D 0A|Accept: */*|0D 0A|Accept-Language: en-us |0D 0A|User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)|0D 0A |Host: lookfreebies.com|0D 0A|Connection: Keep-Alive|0D 0A 0D|"; ) what is it's concept? I just know it is snort format but I don't understand it. can you help me about this? Sincerely M.dehghan ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Rule Format Example motahareh dehghan chachkamy (Oct 12)
- Re: Snort Rule Format Example Joel Esler (Oct 12)
- Re: Snort Rule Format Example JJ Cummings (Oct 12)
- Re: Snort Rule Format Example Martin Holste (Oct 12)
- Re: Snort Rule Format Example Joel Esler (Oct 13)
- Re: Snort Rule Format Example JJ Cummings (Oct 12)
- Re: Snort Rule Format Example Joel Esler (Oct 12)