Re: [Snort-sigs] Alert rules

I know you say these are very basic rules but i have never delt with snort.  
As a matter of fact i never delt with networking.  That is why i need help 
because even when i look at the manual i get confused as i get more into it.


> From: Nigel Houghton <nigel@sourcefire.com>
> Reply-To: snort-sigs@lists.sourceforge.net
> To: FRANK SORNATALE <sornatale@hotmail.com>
> CC: snort-sigs@lists.sourceforge.net
> Subject: Re: [Snort-sigs] Alert rules
> Date: Thu, 9 Mar 2006 16:36:25 -0600
>
> On  0, FRANK SORNATALE <sornatale@hotmail.com> allegedly wrote:
> > Was wondering if anyone can help me figure out these rules:  Please i
> > really need the help from some experience users.
> >
> > 1. Create an alert from any incoming packets from source address
> > 66.35.250.203, source port 80 to any machine on the internal network.
> >
> > 2. Create an alert for any incoming packet whose contents contain 
> "tcpdump"
> > (case sensitive).
> >
> > 3. Create an alert for any outgoing packets that list the CUPS protocol.
> >
> > 4. Create an alert for any packet that attempts to CREATE an ssh 
> connection.
> >
> > 5. Create an alert for any packet whose contents contain the word "bard"
> > (not case sensitive).
> >
> > 7. Create an alert for any packets from source 172.17.76.1 and whose
> > destination is 172.17.76.3, that contains the keyword "diffie".
> >
> > 8. Create an alert for any packets whose destination port (on the 
> trusted,
> > internal network) is 50146.
> >
> > 9. Create an alert for any outgoing packets whose source port is 42637 
> and
> > whose contents contains the keyword "firefox" (case insensitive).
> >
> > 10. Create an alert for any packets that contain a source or destination 
> IP
> > address within the 192.168.0.0/24 domain.
>
> These are very simple rules to write. Please look at the snort manual
> and existing rules to answer your own questions.
>
> +--------------------------------------------------------------------+
>      Nigel Houghton      Research Engineer       Sourcefire Inc.
>                    Vulnerability Research Team
>
>          There is no theory of evolution, just a list
>             of creatures Vin Diesel allows to live.
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live 
> webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
Don?t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs