Snort mailing list archives
Re: Regarding Coding for Snort
From: Mayur Patil <ram.nath241089 () gmail com>
Date: Fri, 19 Jul 2013 22:37:02 +0530
HI Waldo,
Thanks for this and I will do the same.
Thanks again.
*--*
*Cheers,*
*Mayur*
On Fri, Jul 19, 2013 at 10:25 PM, waldo kitty <wkitty42 () windstream net>wrote:
On 7/19/2013 05:34, Mayur Patil wrote:Hi Waldo, Thanks for the wise reply. Actually I want to write My own rule for recognizing and generatingalert(possibly block them ) for DDoS attack. There are four types of rules I found in the snort while runningNIDS modeby omitting -e switch 1. Decoder Rule 2. Detection rules 3. Preprocessor rules 4. Dynamic Rules So I need *your suggestion* which one is *effective*, *easy to understand* and *write* ??then i would suggest that you look at the standard textual rules... they are the one's i've been noting as GID:1... if your snort is operational, then you have rules in your *.rules files... one rule per line... follow their format and the information in the snort pdf manual and you should be able to create a rule or two in no time at all ;)Please guide !! That will be a great favour to me !! you still do not say what kind of code you are talking about... ifyou aretalking about standard GID:1 text rules, then choose something youwant tomonitor for... like DNS or NETBIOS traffic... or possiblysomething easierlike POP3 or SMTP traffic... then you could use the protocol specs ofthose tocreate rules for the different stages of the protocol so that you couldalert as eachstage was triggered... if you are talking about coding GID:3 shared object rules, there isa skeletonfor such to give a start... generally speaking, rules are written inC andcompiled just like any other shared objects... i do not have anyspecificexperience writing GID:3 rules, though... you have the same thing as the GID:3 rules for creating your ownpreperocessorto perform some task on the packets... again, this is an area i donot knowabout other than having seen others talk about it occasionally... have you looked on the snort.org <http://snort.org/> web site forany typeof development packages related to your chosen task? that's where i would expect to findsamples andtutorials of this nature... Thanks !! * * *-- Cheers, Mayur* On Thu, Jul 18, 2013 at 11:59 PM, waldo kitty <wkitty42 () windstream net <https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=wkitty42 () windstream net>> wrote:On 7/18/2013 13:57, Mayur Patil wrote: > Hi Joel, > > Yes, this is assignment for project. :? > But In this case, I just want the topic on which I could dothis work in> short time. > > My goal is to write code for Rules of snort achieved in 4-5days which> should be 80 -100 lines. you still do not say what kind of code you are talking about... ifyou aretalking about standard GID:1 text rules, then choose something youwant tomonitor for... like DNS or NETBIOS traffic... or possibly somethingeasier likePOP3 or SMTP traffic... then you could use the protocol specs ofthose to createrules for the different stages of the protocol so that you couldalert as eachstage was triggered... if you are talking about coding GID:3 shared object rules, there isa skeletonfor such to give a start... generally speaking, rules are written inC andcompiled just like any other shared objects... i do not have anyspecificexperience writing GID:3 rules, though... you have the same thing as the GID:3 rules for creating your ownpreperocessorto perform some task on the packets... again, this is an area i donot knowabout other than having seen others talk about it occasionally... have you looked on the snort.org <http://snort.org> web site forany type ofdevelopment packages related to your chosen task? that's where i would expect to findsamples andtutorials of this nature... > Seeking for guidance, > Thanks !! > * > * > *--* > *Cheers,* > *Mayur* > > On Thu, Jul 18, 2013 at 10:47 PM, Joel Esler <jesler () sourcefire com<https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=jesler () sourcefire com> <https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=jesler () sourcefire com< https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=jesler () sourcefire com> wrote: > > It seems that you are either: > > A) Asking this for an assignment or > B) Have no idea what you are asking. > > What are you trying to accomplish. What is your end goal? > > > On Jul 18, 2013, at 12:55 PM, Mayur Patil <ram.nath241089 () gmail com<https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=ram.nath241089 () gmail com> <https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=ram.nath241089 () gmail com<https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=ram.nath241089 () gmail com> wrote: > >> Hi Waldo, >> >> Two of them which will take*less time and efficient*would be choice>> for my work. >> A preprocessor? GID:3 shared object rules? >> Seeking for guidance, >> >> Thanks !! >> >> On Thu, Jul 18, 2013 at 8:50 PM, waldo kitty<wkitty42 () windstream net <https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=wkitty42 () windstream net>> <https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=wkitty42 () windstream net<https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=wkitty42 () windstream netwrote:>> >> On 7/18/2013 07:40, Mayur Patil wrote: >> > Hi there, >> > >> > First of all sorry for silly question. >> > >> > I want to know what can I do in snort as coding part >> > >> > which could be done in 4-5 days ?? >> > >> > Seeking for guidance, >> >> coding what? a preprocessor? GID:3 shared object rules? >> >> you have to be more specific...-- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- *Cheers, Mayur*.
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Regarding Coding for Snort Mayur Patil (Jul 18)
- Re: Regarding Coding for Snort waldo kitty (Jul 18)
- Re: Regarding Coding for Snort Mayur Patil (Jul 18)
- Re: Regarding Coding for Snort Joel Esler (Jul 18)
- Re: Regarding Coding for Snort Mayur Patil (Jul 18)
- Re: Regarding Coding for Snort waldo kitty (Jul 18)
- Re: Regarding Coding for Snort Mayur Patil (Jul 19)
- Re: Regarding Coding for Snort waldo kitty (Jul 19)
- Re: Regarding Coding for Snort Mayur Patil (Jul 19)
- Re: Regarding Coding for Snort Mayur Patil (Jul 18)
- Re: Regarding Coding for Snort waldo kitty (Jul 18)