fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Snort/SourceFire - Writing Signatures

Below is a custom signature that would create an alert on traffic running from any source to any destination with a destination port of 22, on flags push and ack, every 600 seconds.

alert tcp any any -> any 22 (msg:"SSH TRAFFIC"; flags:PA; classtype:not-suspicious; threshold: type limit, track by_dst, count 1 , seconds 600 ; sid:1000001; rev:1;)

Adding the Rule

Snort

Add the rule to the local.rules file and then make sure the local.rules is not commented out in the /etc/snort file. 

Sourcefire

Select the Sensor on the Defense Centre, or if stand alone just on the sensor. Then import the rule and upload to the sensor.

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001