Snort mailing list archives

Re: Rules question

From: neil ramsarran <neilramsarran () hotmail com>
Date: Fri, 2 Dec 2016 02:29:19 +0000

how do replay the packets can you give some instructions

________________________________
From: Wei Chea Ang <weichea () gmail com>
Sent: Thursday, December 1, 2016 9:05 PM
To: neil ramsarran
Cc: snort-sigs; Atanas Hambardzhiev
Subject: Re: [Snort-sigs] Rules question

Replay the packets and see what rule triggers.

On Dec 2, 2016 9:54 AM, "neil ramsarran" <neilramsarran () hotmail com<mailto:neilramsarran () hotmail com>> wrote:

I'm having the same problem , I cannot seem to get the assignment done with running winpractice txt file on the snort. 
any help will be highly appreciated

Thanks

________________________________
From: Atanas Hambardzhiev <atanasn3 () gmail com<mailto:atanasn3 () gmail com>>
Sent: Wednesday, November 30, 2016 10:16 PM
To: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>
Subject: [Snort-sigs] Rules question

Hello all,

First i would like to express my gratitude for great snort project you have created and the countless hours  you put to 
make it better and up to date.

I am having difficulty understanding how rules are created and composed. The more time i spent better i get at the 
whole idea behind it, but still some things are unclear.

In my example, i am given two wireshark packets and i have to understand by which(under)  snort rules those packets are 
conceived.

[Inline image 1]

[Inline image 2]
[Inline image 3]

Packet 8
[Inline image 4]
[Inline image 5]

Here are all the detail about the Frames/Packets 7 and 8.
There are generated under specific rule which are specified in snort rule list. I dont have the list to look it up, so 
i am trying to figure out the rules.

Can you please identify these 2 rules?

Thanks in advance!!
Best,

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Rules question Atanas Hambardzhiev (Dec 01)
- Re: Rules question Alex McDonnell (Dec 01)
- Re: Rules question neil ramsarran (Dec 01)
  - Re: Rules question neil ramsarran (Dec 01)
    - Re: Rules question Chris Pyles (Dec 01)
  - Re: Rules question lists (Dec 01)
    - Re: Rules question lists (Dec 01)
    - Re: Rules question neil ramsarran (Dec 04)
    - Re: Rules question Joel Esler (jesler) (Dec 04)
  - Re: Rules question Wei Chea Ang (Dec 02)
    - Re: Rules question neil ramsarran (Dec 01)
    - Re: Rules question lists (Dec 01)