privacyninja
Reputation: 81
Configuring rules to detect SMTP, HTTP and DNS traffic
I am currently trying to configure the Snort rules to detect SMTP, HTTP and DNS traffic. Is this setup correctly?
alert icmp any any -> $HOME_NET any (msg: "ICMP connection attempt"; sid:100000$
alert tcp any any -> $HOME_NET 80 (msg:"HTTP connection attempt"; sid:1000003; $
alert udp any any -> 10.8.9.39 any (msg: "DNS connection attempt"; sid:1000004;$
alert tcp $SMTP_SERVERS any -> $HOME_NET any (msg:"SMTP connection attempt"; si$
Upvotes: 1
Views: 2707
Answers (1)
privacyninja
Reputation: 81
These rules ended up being correct. The documentation can be found at: https://www.snort.org/documents
Upvotes: 1
Related Questions
- Snort Rule to detect http, https and email
- snort | pcre| rule specification
- Snort rule failing to alert to log
- Snort Rules Configuration Issue
- What is the best way to enable different rules for different subnets in Snort?
- Snort - Trying to understand how this snort rule works
- Snort Rule to Alert DNS that has ACK
- Rule for capturing SYN-scanning
- Issue on Snort rules to track IRC servers activities
- How to block packets using snort?