参考文章
snort规则说明
启动监控模式:
sudo snort -A console -q -c /etc/snort/snort.conf -i ens33

针对ICMP协议案例:
alert icmp any any -> any any (msg:"ICMP test detected"; sid:100001; rev:1; )
alert icmp any any -> any any (msg:"ICMP data>1024"; dsize:>1024; sid:100001; rev:2;)

针对TCP协议案例:
alert tcp any any -> any any (msg:"Nmap FIN Scan"; flags:F; sid:100002; rev:1;)
alert tcp any any -> any any (msg:"SYN-FIN scan!"; flags: SF;sid:100002; rev:2;)
alert tcp any any -> 192.168.43.97 80 (msg: "SQL Injection Detected"; content: "%27" ; sid:100000007; )
alert tcp any any -> 192.168.43.97 80 (msg: "SQL Injection Detected"; content: "%22" ; sid:100000008; )

标签: none

评论已关闭