Snort mailing list archives
Re: Create rule to alert on destination IP Address
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 1 Sep 2011 16:27:28 -0400
On Sep 1, 2011, at 4:00 PM, Mike Smith wrote:
Hello, I trying to learn how I can create a rule or alert, using snort and base to let me know if workstation is trying to connect a specfic IP address. This is a known malware server.
alert tcp $HOME_NET any -> 1.1.1.1 any (msg:"connection to ip 1.1.1.1 detected"; flow:to_server; flags:S+; sid:1;) or something like that (insert your ip in 1.1.1.1) http://manual.snort.org may help as well. Joel
------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Create rule to alert on destination IP Address Mike Smith (Sep 01)
- Re: Create rule to alert on destination IP Address Joel Esler (Sep 01)