1. Forum
  2. MicroNet
  3. MIN COMP

  • Snort rule...

    From Shurato@618:300/50 to All on Thu Jan 2 15:24:00 2025
    I'm just looking for a simple rule to block traffic from a specific ip to
    mine from any port to port 23 all the time. I tried:

    alert tcp 123.192.96.98 any -> 192.168.0.1/24 23 (msg:"Blocked IP"; action: drop;)

    But action is an unknown rule command... I found that with "alert ip", but I couldn't get that to work either. This should be really simple... I'm not trying to create a complex rule. This rule of course is all on one line.

    --
    Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
    ,wss) (Ports 22,23,110,21,119,999) (ssh login 'bbs' password 'shsbbs')


    *** THE READER V4.50 [freeware]
    ---
    * Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (618:300/50)
  • From Shurato@618:300/50 to Shurato on Thu Jan 2 16:07:00 2025

    I'm just looking for a simple rule to block traffic from a specific ip to mine from any port to port 23 all the time. I tried:

    alert tcp 123.192.96.98 any -> 192.168.0.1/24 23 (msg:"Blocked IP"; action: drop;)

    But action is an unknown rule command... I found that with "alert ip", but I couldn't get that to work either. This should be really
    simple... I'm not trying to create a complex rule. This rule of
    course is all on one line.

    Ok, I found block instead of alert and no parenthesis if that'll work.

    --
    Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
    ,wss) (Ports 22,23,110,21,119,999) (ssh login 'bbs' password 'shsbbs')


    *** THE READER V4.50 [freeware]
    ---
    * Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (618:300/50)
  • From Shurato@618:300/50 to Shurato on Thu Jan 2 21:16:00 2025

    I'm just looking for a simple rule to block traffic from a specific
    ip to
    mine from any port to port 23 all the time. I tried:

    alert tcp 123.192.96.98 any -> 192.168.0.1/24 23 (msg:"Blocked IP"; action: drop;)

    But action is an unknown rule command... I found that with "alert
    ip",
    but I couldn't get that to work either. This should be really simple... I'm not trying to create a complex rule. This rule of course is all on one line.

    Ok, I found block instead of alert and no parenthesis if that'll work.

    That did nothing. I found:

    alert tcp 192.168.0.11 any -> 192.168.0.3 23 (msg:"Telnet Traffic Blocked";drop;)

    but that gives me an error that the rule option drop is unknown... I'm
    trying to use AI overviews, but they're full of contradictions and errors. I also don't know how to determine what adapter snort is monitoring. I want to monitor the local ethernet, not my vpn... I'll shut up for a while now...
    I'll take any suggestions. I've tried reading documentation, but it's more confusing than the AI suggestions... I should probably just not bother, this is ending up to be a lot more work than it's worth.

    --
    Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
    ,wss) (Ports 22,23,110,21,119,999) (ssh login 'bbs' password 'shsbbs')


    *** THE READER V4.50 [freeware]
    ---
    * Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (618:300/50)