Home page logo
/

snort logo Snort mailing list archives

Re: New to writing Snort Rules. Help writing a rule?
From: evejou <girl () techn0ev3 net>
Date: Sat, 19 May 2012 07:30:28 -0400

Hi Tyler,

I think what you're looking for is how to whitelist IPs:
http://manual.snort.org/node17.html#SECTION003219000000000000000

According to this entry here, you really don't want to use signatures to
white/blacklist stuff:
http://vrt-blog.snort.org/2012/04/snort-performance-and-ip-only-rules.html


-evejou






On Fri, May 18, 2012 at 4:18 PM, Tyler MacPherson <tah338 () sr unh edu> wrote:

Hi,

I recently put Snort on a system for my work. I'm trying to configure it
by writing certain rules, but since I'm brand new to Snort, I'm having
some trouble figuring out how to write these rules. Basically, the
system I'm deploying Snort on should only be receiving traffic through
two avenues: a MySQL database and Oracle database that are linked to it.
Everything else should be picked up Snort as potentially being bad. What
I'm wondering is, how would I go about writing rules that would achieve
this goal?

Thank you.

--
Tyler MacPherson
Student Operator
UNH Research Computing Center
(603) 862-4518



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




-- 
"We who cut mere stones must always be envisioning cathedrals." -- Quarry
worker's creed.
(The Pragmatic Programmer, by Andrew Hunt and David Thomas.)
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault