activate tcp any any -> 192.168.1.21 22 (content:"/bin/sh"; activates:1; msg:"Moliwe przepenienie bufora usugi SSH"; )
dynamic tcp any any -> 192.168.1.21 22 (activated_by:1; count:100;)
-------------------------
ruletype redalert
{
    type alert
    output alert_syslog: LOG_AUTH LOG_ALERT
    output database: log, mysql, user=snort dbname=snort host=localhost
}
-------------------------
alert tcp 192.168.1.35 any -> any any (msg:"Wykryto ruch komputera 192.168.1.35";)
-------------------------
alert tcp any any -> any any (msg:"Podejrzana zawarto"; content:"|90|";)
-------------------------
alert tcp any any -> any any (msg:"Podejrzana zawarto"; content:"|90|"; offset:40; depth:75;)
-------------------------
alert tcp any any -> any any (msg:"Podejrzana zawarto"; content:"|90|"; offset:40; depth:75; dsize: >6000;)
-------------------------
alert any any -> any any (flags: SF,12; msg: "Moliwe skanowanie SYN FIN";)
-------------------------
threshold gen_id <identyfikator_generatora>, sig_id <identyfikator_sygnatury>, type <limit | threshold | both>, track <by_src | by_dest>, count <n>, seconds <m>
-------------------------
alert tcp any any -> any any (msg:"Possible  exploit"; content:"|90|"; offset:40; depth:75; dsize: >6000; sid:1000001; rev:1;)
-------------------------
alert any any -> any any (flags:SF,12; msg:" Moliwe skanowanie SYN FIN"; threshold: type both, track by_dest, count 100, seconds 60)
-------------------------
suppress gen_id <identyfikator_generatora>, sig_id <sid>, [track <by_src | by_dest>, ip[/mask]]
