LJ Archive

Listing 1. The Snort Rules File for Our Policy

##
#       Define our network and other network
#
var OURNET 208.177.13.0/24
var OTHERNET !$OURNET
var NIDSHOST 208.177.13.251
var PORTS 10
var SECS 3
##
#       Log rules
##
log tcp $OTHERNET any -> $OURNET 23
log tcp $OTHERNET any -> $OURNET 21
log tcp $OTHERNET any -> $OURNET 79
##
#       Alert Rules
##
alert udp any any -> $OURNET 53 (msg:"UDP IDS/DNS-version-query";
content:"version";)
alert tcp any any -> $OURNET 53 (msg:"TCP IDS/DNS-version-query";
content:"version";)
alert tcp any any -> $OURNET 80 (msg:"PHF attempt";
content:"/cgi-bin/phf";)
##
#       Load portscan pre-processor for portscan alerts
##
preprocessor portscan: $OTHERNET $PORTS $SECS
/var/log/snort/pscan_alerts
preprocessor portscan-ignorehosts: $OURNET
##
#       Pass Rules (Ignore)
##
pass tcp $OURNET any -> $OTHERNET 80
pass udp any 1024:  <> any 1024:
pass tcp any 22 -> $NIDSHOST 22
LJ Archive