Snort mailing list archives

Re: Snort Rule Creation

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 31 Jan 2017 23:09:25 +0000

Maybe something like:

alert tcp $SOURCEIP any -> ![destip1, destip2, destip3] any (msg:”Unauthorized TCP traffic initiated”; flags:S; 
sid:1000000; rev:1;)

?


--
Joel Esler | Talos: Manager | jesler () cisco com <mailto:jesler () cisco com>

On Jan 31, 2017, at 5:33 PM, John G <drterdnugget () gmail com> wrote:

Good Afternoon everyone,

My name is John and I am starting out with creating Snort rules. I have experience using Snort with IDS's such as
Sourcefire and Security Onion for incident response. However, i don't have much experience creating custom rules.
Although i once created a rule during one of my security classes during my undergrad program lol Anyway, i have been
reading documentation for how to understand/create rules from a variety of sources. But I wanted to reach out to you
guys and see what information you can provide.

I have a device that is communicating with about 8 other devices. I would like to write a rule that alerts if it
detects any communication outside of those devices.

Is it possible to list multiple ip addresses within a rule and maybe use an is not "!=" attribute.

So something like: alert tcp != sourceip1 80 -> destip1, destip2, destip3, etc (msg:"Alert Message";)

I would appreciate any assistance and will continue to do my own research and see if i can figure it out on my own :)

Regards,
John
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Attachment: signature.asc
Description: Message signed with OpenPGP

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation Joel Esler (jesler) (Jan 31)
  - Re: Snort Rule Creation James Lay (Jan 31)
  - Re: Snort Rule Creation John G (Jan 31)
  - Re: Snort Rule Creation John G (Jan 31)
    - Re: Snort Rule Creation John G (Jan 31)
    - Re: Snort Rule Creation Desmond Agee (Jan 31)
    - Re: Snort Rule Creation John G (Jan 31)
    - Re: Snort Rule Creation Joel Esler (jesler) (Jan 31)
    - Re: Snort Rule Creation John G (Jan 31)
- Re: Snort Rule Creation Wei Chea Ang (Feb 01)