Listing 1. The Snort Rules File for Our Policy
##
# Define our network and other network
#
var OURNET 208.177.13.0/24
var OTHERNET !$OURNET
var NIDSHOST 208.177.13.251
var PORTS 10
var SECS 3
##
# Log rules
##
log tcp $OTHERNET any -> $OURNET 23
log tcp $OTHERNET any -> $OURNET 21
log tcp $OTHERNET any -> $OURNET 79
##
# Alert Rules
##
alert udp any any -> $OURNET 53 (msg:"UDP IDS/DNS-version-query";
content:"version";)
alert tcp any any -> $OURNET 53 (msg:"TCP IDS/DNS-version-query";
content:"version";)
alert tcp any any -> $OURNET 80 (msg:"PHF attempt";
content:"/cgi-bin/phf";)
##
# Load portscan pre-processor for portscan alerts
##
preprocessor portscan: $OTHERNET $PORTS $SECS
/var/log/snort/pscan_alerts
preprocessor portscan-ignorehosts: $OURNET
##
# Pass Rules (Ignore)
##
pass tcp $OURNET any -> $OTHERNET 80
pass udp any 1024: <> any 1024:
pass tcp any 22 -> $NIDSHOST 22