Snort mailing list archives
Re: Regarding Coding for Snort
From: Mayur Patil <ram.nath241089 () gmail com>
Date: Fri, 19 Jul 2013 15:04:37 +0530
Hi Waldo, Thanks for the wise reply. Actually I want to write My own rule for recognizing and generating alert (possibly block them ) for DDoS attack. There are four types of rules I found in the snort while running NIDS mode by omitting -e switch 1. Decoder Rule 2. Detection rules 3. Preprocessor rules 4. Dynamic Rules So I need *your suggestion* which one is *effective*, *easy to understand* and *write* ?? Please guide !! That will be a great favour to me !!
you still do not say what kind of code you are talking about... if you are talking about standard GID:1 text rules, then choose something you want to monitor for... like DNS or NETBIOS traffic... or possibly something easier like POP3 or SMTP traffic... then you could use the protocol specs of those to create rules for the different stages of the protocol so that you could alert as each stage was triggered...
if you are talking about coding GID:3 shared object rules, there is a skeleton for such to give a start... generally speaking, rules are written in C and compiled just like any other shared objects... i do not have any specific experience writing GID:3 rules, though...
you have the same thing as the GID:3 rules for creating your own
preperocessor to perform some task on the packets... again, this is an area i do not know about other than having seen others talk about it occasionally...
have you looked on the snort.org web site for any type of development
packages related to your chosen task? that's where i would expect to find samples and tutorials of this nature...
Thanks !! * * *-- Cheers, Mayur* On Thu, Jul 18, 2013 at 11:59 PM, waldo kitty <wkitty42 () windstream net<https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=wkitty42 () windstream net>
wrote:
On 7/18/2013 13:57, Mayur Patil wrote:Hi Joel, Yes, this is assignment for project.:?But In this case, I just want the topic on which I could do thiswork inshort time. My goal is to write code for Rules of snort achieved in 4-5 dayswhichshould be 80 -100 lines.you still do not say what kind of code you are talking about... if you are talking about standard GID:1 text rules, then choose something you want to monitor for... like DNS or NETBIOS traffic... or possibly something easier like POP3 or SMTP traffic... then you could use the protocol specs of those to create rules for the different stages of the protocol so that you could alert as each stage was triggered... if you are talking about coding GID:3 shared object rules, there is a skeleton for such to give a start... generally speaking, rules are written in C and compiled just like any other shared objects... i do not have any specific experience writing GID:3 rules, though... you have the same thing as the GID:3 rules for creating your own preperocessor to perform some task on the packets... again, this is an area i do not know about other than having seen others talk about it occasionally... have you looked on the snort.org web site for any type of development packages related to your chosen task? that's where i would expect to find samples and tutorials of this nature...Seeking for guidance, Thanks !! * * *--* *Cheers,* *Mayur* On Thu, Jul 18, 2013 at 10:47 PM, Joel Esler <jesler () sourcefire com<https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=jesler () sourcefire com> <https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=jesler () sourcefire comwrote: It seems that you are either: A) Asking this for an assignment or B) Have no idea what you are asking. What are you trying to accomplish. What is your end goal? On Jul 18, 2013, at 12:55 PM, Mayur Patil <ram.nath241089 () gmail com<https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=ram.nath241089 () gmail com> <https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=ram.nath241089 () gmail comwrote:Hi Waldo, Two of them which will take*less time and efficient *would bechoicefor my work. A preprocessor? GID:3 shared object rules? Seeking for guidance, Thanks !! On Thu, Jul 18, 2013 at 8:50 PM, waldo kitty<wkitty42 () windstream net<https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=wkitty42 () windstream net><https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=wkitty42 () windstream netwrote: On 7/18/2013 07:40, Mayur Patil wrote: > Hi there, > > First of all sorry for silly question. > > I want to know what can I do in snort as coding part > > which could be done in 4-5 days ?? > > Seeking for guidance, coding what? a preprocessor? GID:3 shared object rules? you have to be more specific...
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Regarding Coding for Snort Mayur Patil (Jul 18)
- Re: Regarding Coding for Snort waldo kitty (Jul 18)
- Re: Regarding Coding for Snort Mayur Patil (Jul 18)
- Re: Regarding Coding for Snort Joel Esler (Jul 18)
- Re: Regarding Coding for Snort Mayur Patil (Jul 18)
- Re: Regarding Coding for Snort waldo kitty (Jul 18)
- Re: Regarding Coding for Snort Mayur Patil (Jul 19)
- Re: Regarding Coding for Snort waldo kitty (Jul 19)
- Re: Regarding Coding for Snort Mayur Patil (Jul 19)
- Re: Regarding Coding for Snort Mayur Patil (Jul 18)
- Re: Regarding Coding for Snort waldo kitty (Jul 18)