======================================== http://www.snort.org #--------------------------------------------- # http://www.snort.org Snort 1.6 Ruleset # Current Database Updated -- 07/12/2000 #Contact: Jim Forster - jforster@rapidnet.com #--------------------------------------------- preprocessor http_decode: 80 443 8080 preprocessor minfrag: 128 preprocessor portscan: 192.168.1.1/24 3 5 /var/log/snort_portscan.log # ^^^^^^^^^^^ ^ ^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^ # | | | | #Your IP address or Network here+ | | | # | | | #Ammount of ports being connected-----+ | | # in this | | #Interval (in seconds)------------------+ | # | #Log file (path/name)----------------------------------+ preprocessor portscan-ignorehosts: 192.168.1.4 #--------------------------------------------- #--------------------------------------------- # CHANGE THE NEXT LINE TO REFLECT YOUR NETWORK # (Single system = your ip/32) var HOME_NET 192.168.1.1/24 #--------------------------------------------- alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS166 - PING Seer Windows"; content:"|88042020202020202020202020202020|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS152 - PING BSD"; content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; itype: 8; depth: 32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS153 - PING Cisco Type.x"; content:"|abcdabcdabcdabcdabcdabcdabcdabcd|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS154 - PING CyberKit 2.2 Windows"; content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS155 - PING Delphi-Piette Windows"; content:"|50696e67696e672066726f6d2044656c|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS156 - PING Flowpoint 2200DSL Router"; content:"|0102 0304 0506 0708 090a 0b0c 0d0e 0f10|";itype:8;depth:32;) #---------------------------------------------