Snort - writing rules

From open-voip.org

Jump to: navigation, search
# using content nocase offset and depth
alert tcp any any -> any any (msg:"went to cnn.com";content:"cnn.com";nocase;offset:0;depth:30;sid:3000000;rev:4;)

# using uricontent
alert tcp any any -> any any (msg:"went to yahoo.com";uricontent:"yahoo.com";nocase;offset:0;depth:30;sid:3000001;rev:4;)

# invite using hex
alert udp any any -> any any (msg:"find INVITE in hex";content:"|49 4e 56 49 54|";sid:3000002;rev:4;)

# sql monitoring
alert tcp any any -> any any (msg:"SQL query";content:"S|00|E|00|L|00|E|00|C|00|T";nocase;offset:0;depth:30;sid:3000003;rev:1;)

#portvar SIP_PORTS [5060,23768]
#var JLM_LAN [233.117.23.0/24,203.172.111.0/24]
#alert udp $MY_LAN any -> any $SIP_PORTS ( msg:"This is my first alert!!!!!!!!!";sid:1;)


snort voip rules

http://c.sipvicious.org/resources/snortrules.txt

Personal tools