[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] SNORT HELP !
From:       "Al Lewis \(allewi\) via Snort-users" <snort-users () lists ! snort ! org>
Date:       2017-10-24 21:08:03
Message-ID: E803B939-4941-4231-AB47-1EB629134180 () cisco ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

Simple.

alert tcp any any -> any any (msg:"TCP"; sid:1;)


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi@cisco.com<mailto:allewi@cisco.com>

From: Snort-users <snort-users-bounces@lists.snort.org<mailto:snort-users-bounces@lists.snort.org>> \
on behalf of nguyen cao via Snort-users \
                <snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Reply-To: nguyen cao <nguyenblack1995@gmail.com<mailto:nguyenblack1995@gmail.com>>
Date: Tuesday, October 24, 2017 at 12:10 AM
To: "snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>" \
                <snort-users@lists.snort.org<mailto:snort-users@lists.snort.org>>
Subject: [Snort-users] SNORT HELP !

Hi ! I use wireshark to catch 3 tcp packets. It's a three-step process. There are no \
other tcp packages. How do I write rules that detect only 3 tcp packets? thank you


[Attachment #3 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Courier, \
sans-serif;"> <div>
<div>Simple.</div>
<div><br>
</div>
<div>alert tcp any any -&gt; any any (msg:"TCP&quot;; sid:1;)</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE">
<div>
<p class="MsoNormal" style="font-family: -webkit-standard; margin: 0in 0in 0.0001pt; \
font-size: 11pt;"> <b><span style="font-size: 12pt; color: rgb(31, 73, 125);"><font \
face="Courier">Albert Lewis<o:p></o:p></font></span></b></p> <p class="MsoNormal" \
style="font-family: -webkit-standard; margin: 0in 0in 0.0001pt; font-size: 11pt;"> \
<font color="#7f7f7f">ENGINEER.SOFTWARE ENGINEERING</font></p> <p class="MsoNormal" \
style="font-family: -webkit-standard; margin: 0in 0in 0.0001pt; font-size: 11pt;"> \
<font face="Courier"><span style="color: rgb(153, 153, 153); font-size: \
12pt;">SOURCE</span><b><span style="font-size: 12pt; color: \
red;">fire</span></b><span style="color: rgb(153, 153, 153); font-size: 12pt;">, \
Inc.&nbsp;</span><span style="color: rgb(136, 136, 136); font-size: 12pt;">now  part \
of&nbsp;</span><b><span style="font-size: 12pt;"><font \
color="#00007f">Cisco</font></span></b></font></p> <p class="MsoNormal" \
style="font-family: -webkit-standard; margin: 0in 0in 0.0001pt; font-size: 11pt;"> \
<font face="Courier"><span style="font-size: 12pt; color: rgb(153, 153, \
153);">Email:&nbsp;</span><span style="font-size: 12pt;"><a \
href="mailto:allewi@cisco.com" style="color: purple;">allewi@cisco.com</a><span \
style="color: rgb(79, 129, 189);">&nbsp;</span></span></font></p> </div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; \
BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; \
PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: \
medium none; PADDING-TOP: 3pt"> <span style="font-weight:bold">From: \
</span>Snort-users &lt;<a \
href="mailto:snort-users-bounces@lists.snort.org">snort-users-bounces@lists.snort.org</a>&gt; \
on behalf of nguyen cao via Snort-users &lt;<a \
href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>&gt;<br> \
<span style="font-weight:bold">Reply-To: </span>nguyen cao &lt;<a \
href="mailto:nguyenblack1995@gmail.com">nguyenblack1995@gmail.com</a>&gt;<br> <span \
style="font-weight:bold">Date: </span>Tuesday, October 24, 2017 at 12:10 AM<br> <span \
style="font-weight:bold">To: </span>&quot;<a \
href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>&quot; \
&lt;<a href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>&gt;<br>
 <span style="font-weight:bold">Subject: </span>[Snort-users] SNORT HELP !<br>
</div>
<div><br>
</div>
<span style="mso-bookmark:_MailOriginalBody">
<div>
<div>
<div dir="ltr">Hi ! I use wireshark to catch 3 tcp packets. It's a three-step \
process. There are no other tcp packages. How do I write rules that detect only 3 tcp \
packets? thank you<br> </div>
</div>
</div>
</span></span>
</body>
</html>



_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

--===============3205400168844792941==--

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic