Fir3net.com - Keeping You In The Know

 
  • Increase font size
  • Default font size
  • Decrease font size
Home IDS Snort / Sourcefire Writing Signatures

Writing Signatures

Tuesday, 12 August 2008 10:22 IDS - Snort / Sourcefire
E-mail Print

 

Below is a custom signature that would create an alert on traffic running from any source to any destination with a destination port of 22, on flags push and ack, every 600 seconds.

alert tcp any any -> any 22 (msg:"SSH TRAFFIC"; flags:PA; classtype:not-suspicious; threshold: type limit, track by_dst, count 1 , seconds 600 ; sid:1000001; rev:1;)

 

Adding the Rule

Snort

Add the rule to the local.rules file and then make sure the local.rules is not commented out in the /etc/snort file. 

Sourcefire

Select the Sensor on the Defense Centre, or if stand alone just on the sensor. Then import the rule and upload to the sensor.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Comments
Add New
+/-
Write comment
Name:
Email:
 
Title:
UBBCode:
[b] [i] [u] [url] [quote] [code] [img] 
 
 
Please input the anti-spam code that you can read in the image.

3.26 Copyright (C) 2008 Compojoom.com / Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

 
mod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_counter

Main Menu

Site

We have 8 guests online

Latest Articles

Close



Popular