[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] WRITE RULE ERROR
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists ! snort ! org>
Date: 2017-10-23 22:40:54
Message-ID: F0C99E74-C3BA-4357-96F4-A8B62BC63355 () cisco ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[Attachment #4 (text/plain)]
Hello,
It would help if you sent the pcap and point out what you are trying to detect.
Thanks!
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi@cisco.com<mailto:allewi@cisco.com>
From: Snort-users <snort-users-bounces@lists.snort.org<mailto:snort-users-bounces@lists.snort.org>> \
on behalf of nguyen cao via Snort-users \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Reply-To: nguyen cao <nguyenblack1995@gmail.com<mailto:nguyenblack1995@gmail.com>>
Date: Monday, October 23, 2017 at 10:43 AM
To: "snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>" \
<snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Subject: [Snort-users] WRITE RULE ERROR
[cid:ii_j94ag32h1_15f49ac9e05de455]
I write rule snort alert this type :alert any any -> any any \
(msg:"Test";ack:1;classtype:shellcode-detect;sid;1000001;rev:1;) and
alert any any -> any any \
(msg:"test2";flags:S;flow:to_server,established;detecion_filter:track by_src, count: \
5,sencond 5; classtype:shellcode-detect;sid:1000002;rev:1;)
But the 2 rules are not alert. People ask me how to write an alert rule with the \
above type?
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Courier, \
sans-serif;"> <div>
<div>
<div>Hello,</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>It would help if you \
sent the pcap and point out what you are trying to detect.</div> <div><br>
</div>
<div>Thanks!</div>
<div><br>
</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE">
<div>
<p class="MsoNormal" style="font-family: -webkit-standard; margin: 0in 0in 0.0001pt; \
font-size: 11pt;"> <b><span style="font-size: 12pt; color: rgb(31, 73, 125);"><font \
face="Courier">Albert Lewis<o:p></o:p></font></span></b></p> <p class="MsoNormal" \
style="font-family: -webkit-standard; margin: 0in 0in 0.0001pt; font-size: 11pt;"> \
<font color="#7f7f7f">ENGINEER.SOFTWARE ENGINEERING</font></p> <p class="MsoNormal" \
style="font-family: -webkit-standard; margin: 0in 0in 0.0001pt; font-size: 11pt;"> \
<font face="Courier"><span style="color: rgb(153, 153, 153); font-size: \
12pt;">SOURCE</span><b><span style="font-size: 12pt; color: \
red;">fire</span></b><span style="color: rgb(153, 153, 153); font-size: 12pt;">, \
Inc. </span><span style="color: rgb(136, 136, 136); font-size: 12pt;">now part \
of </span><b><span style="font-size: 12pt;"><font \
color="#00007f">Cisco</font></span></b></font></p> <p class="MsoNormal" \
style="font-family: -webkit-standard; margin: 0in 0in 0.0001pt; font-size: 11pt;"> \
<font face="Courier"><span style="font-size: 12pt; color: rgb(153, 153, \
153);">Email: </span><span style="font-size: 12pt;"><a \
href="mailto:allewi@cisco.com" style="color: purple;">allewi@cisco.com</a><span \
style="color: rgb(79, 129, 189);"> </span></span></font></p> </div>
</div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; \
BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; \
PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: \
medium none; PADDING-TOP: 3pt"> <span style="font-weight:bold">From: \
</span>Snort-users <<a \
href="mailto:snort-users-bounces@lists.snort.org">snort-users-bounces@lists.snort.org</a>> \
on behalf of nguyen cao via Snort-users <<a \
href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>><br> \
<span style="font-weight:bold">Reply-To: </span>nguyen cao <<a \
href="mailto:nguyenblack1995@gmail.com">nguyenblack1995@gmail.com</a>><br> <span \
style="font-weight:bold">Date: </span>Monday, October 23, 2017 at 10:43 AM<br> <span \
style="font-weight:bold">To: </span>"<a \
href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>" \
<<a href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>><br>
<span style="font-weight:bold">Subject: </span>[Snort-users] WRITE RULE ERROR<br>
</div>
<div><br>
</div>
<span style="mso-bookmark:_MailOriginalBody">
<div>
<div>
<div dir="ltr"><img src="cid:ii_j94ag32h1_15f49ac9e05de455" width="412" \
height="232"><br> I write rule snort alert this type :alert any any -> any \
any (msg:"Test";ack:1;classtype:shellcode-detect;sid;1000001;rev:1;) \
<div>and</div> <div>alert any any -> any any \
(msg:"test2";flags:S;flow:to_server,established;detecion_filter:track \
by_src, count: 5,sencond 5; classtype:shellcode-detect;sid:1000002;rev:1;)</div> \
<div><br> </div>
<div><br>
</div>
<div>But the 2 rules are not alert. People ask me how to write an alert rule with the \
above type?<br> </div>
</div>
</div>
</div>
</span></span>
</body>
</html>
["Untitled.png" (image/png)]
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
--===============9180582847356387748==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic