Snort mailing list archives
Re: Snort Rule Creation
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 31 Jan 2017 23:09:25 +0000
Maybe something like: alert tcp $SOURCEIP any -> ![destip1, destip2, destip3] any (msg:”Unauthorized TCP traffic initiated”; flags:S; sid:1000000; rev:1;) ? -- Joel Esler | Talos: Manager | jesler () cisco com <mailto:jesler () cisco com>
On Jan 31, 2017, at 5:33 PM, John G <drterdnugget () gmail com> wrote: Good Afternoon everyone, My name is John and I am starting out with creating Snort rules. I have experience using Snort with IDS's such as Sourcefire and Security Onion for incident response. However, i don't have much experience creating custom rules. Although i once created a rule during one of my security classes during my undergrad program lol Anyway, i have been reading documentation for how to understand/create rules from a variety of sources. But I wanted to reach out to you guys and see what information you can provide. I have a device that is communicating with about 8 other devices. I would like to write a rule that alerts if it detects any communication outside of those devices. Is it possible to list multiple ip addresses within a rule and maybe use an is not "!=" attribute. So something like: alert tcp != sourceip1 80 -> destip1, destip2, destip3, etc (msg:"Alert Message";) I would appreciate any assistance and will continue to do my own research and see if i can figure it out on my own :) Regards, John ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Attachment:
signature.asc
Description: Message signed with OpenPGP
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation Joel Esler (jesler) (Jan 31)
- Re: Snort Rule Creation James Lay (Jan 31)
- Re: Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation Desmond Agee (Jan 31)
- Re: Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation Joel Esler (jesler) (Jan 31)
- Re: Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation Joel Esler (jesler) (Jan 31)