Re: WRITE RULE ERROR

["Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>]

Hello,

It would help if you sent the pcap and point out what you are trying to detect.

Thanks!

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
nguyen cao via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Reply-To: nguyen cao <nguyenblack1995 () gmail com<mailto:nguyenblack1995 () gmail com>>
Date: Monday, October 23, 2017 at 10:43 AM
To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort 
org<mailto:snort-users () lists snort org>>
Subject: [Snort-users] WRITE RULE ERROR

[cid:ii_j94ag32h1_15f49ac9e05de455]
​​I write rule snort alert this type :alert any any -> any any 
(msg:"Test";ack:1;classtype:shellcode-detect;sid;1000001;rev:1;)
and
alert any any -> any any (msg:"test2";flags:S;flow:to_server,established;detecion_filter:track by_src, count: 5,sencond 
5; classtype:shellcode-detect;sid:1000002;rev:1;)


But the 2 rules are not alert. People ask me how to write an alert rule with the above type?

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!