Study the snort rule given below and interpret the rule.
alert tcp any any –> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)
A.
An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet
B.
An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet
C.
An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111
D.
An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111
Explanation:
Refer to the online documentation on creating Snort rules at http://snort.org/docs/snort_htmanuals/htmanual_261/node147.html
The given link is not available. 🙁
I hope this link satisfy our purpose.
http://manual.snort.org/node27.html
Disregard
More information.
http://www.ussrback.com/docs/papers/IDS/snort_rules.htm
It’s useful!