Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Development » alert rules

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

alert rules


Posted by joma on March 09, 2006 09:08:03

I never used snort and i have to figure out some rules. Seeing if anyone can help me out.

1. Create an alert from any incoming packets from source address 66.35.250.203, source port 80 to any machine on the internal network.

2. Create an alert for any incoming packet whose contents contain "tcpdump" (case sensitive).

3. Create an alert for any outgoing packets that list the CUPS protocol.

4. Create an alert for any packet that attempts to CREATE an ssh connection.

5. Create an alert for any packet whose contents contain the word "bard" (not case sensitive).


Posted by brevizniak on March 10, 2006 03:40:15

Contact me privately according to the mail on the list and I'll be happy to help.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.