Snort mailing list archives

Re: Rule help

From: Markus Lude <markus.lude () gmx de>
Date: Sat, 20 Dec 2008 04:19:26 +0100

On Fri, Dec 19, 2008 at 07:42:49PM -0700, Jefferson, Shawn wrote:

Hi,

 
Hello,

I need to create a rule that alerts whenever a connection is made to a
specific IP address.  I've never created a rule before, and
unfortunately, I need this fairly quickly.  Can anyone help me out?

Here's what I have:
alert tcp any any -> 146.155.47.250 any (msg:"VMWare Service Infected"; sid:2000001; rev:1;)


You may want to use "ip" instead of "tcp" for the protocol.

Regards,
Markus


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule help Jefferson, Shawn (Dec 19)
- Re: Rule help Markus Lude (Dec 19)
  - Re: Rule help Matt Olney (Dec 19)
- Re: Rule help Jefferson, Shawn (Dec 23)
  - Re: Rule help Joel Esler (Dec 23)
  - Re: Rule help Jack Pepper (Dec 23)
    - Re: Rule help Jefferson, Shawn (Dec 23)
    - Re: Rule help Jack Pepper (Dec 23)
    - Re: Rule help Jefferson, Shawn (Dec 23)
    - Re: Rule help Joel Esler (Dec 23)
    - Re: Rule help Jefferson, Shawn (Dec 23)