Snort mailing list archives
RE: newbie-writing rules help
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Mon, 22 Jul 2002 16:51:31 -0400
For example only traffic from the outside going to port :80,23,8000,8001,8002 and a few more are allowed. How must I define this; I thought of: alert tcp any anu -> any 1[80,23,8000,8001,8002] (msg:"Er";)
I'm a little unclear as to what you're trying to accomplish. Before we even get to rules syntax: 1) If these services are allowed, why does it appear that you're trying to generate alerts every time someone accesses them? That is not intrusion detection, that is accounting (in which case Snort is the wrong tool). 2) Assuming that your alert rule was a simple mistake, what is it that you wish to do? Do you want to - Generate alerts when a service *other* than those listed is accessed? - Simply inspect the traffic for these services using default rules? - Perform some kind of (very odd) accounting using Snort? Just a little more information and we'll get you started down the right path! Please include your Snort version as well (just to make sure you're current)... Cheers Keith ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: newbie-writing rules help McCammon, Keith (Jul 22)
- <Possible follow-ups>
- newbie-writing rules help charella constansia (Jul 22)
- Re: newbie-writing rules help Erek Adams (Jul 22)
- Re: newbie-writing rules help Matt Kettler (Jul 22)