output alert_fast: /home/localhost/python/frymaster/asfc/log/alert

#These are locations on the local network
var LOCAL_NET [77.74.196.223,77.74.196.233]

#The host we are to log port 8080 traffic to
var SPECIFIC_HOST [77.74.196.223]

#recommended by http://www.snort.org/docs/snort_htmanuals/htmanual_281/node73.html for portscan preprocessor
preprocessor flow: stats_interval 0 hash 2

#Detect connections to 8080 on a specific host (Requirement 1)
alert tcp any any -> $SPECIFIC_HOST 8080 (flags:S; msg:"Port 8080 connection attempt detected"; sid: 1000001;)

#Detect outgoing emails with {SPAM} as the subject (Requirement 2)
#Cannot use colons in this version of snort - 3a is the hex code for ASCII colon
alert tcp $LOCAL_NET 25 -> any any (content:"Subject|3a| {SPAM}"; msg:"Spam email detected"; sid:1000002;)

#Detect incoming ping (ICMP type 8 - echo) (Requirement 3)
alert icmp any any -> $LOCAL_NET any (itype:8; msg:"Incoming ping request detected"; sid:1000003;)

#Detect portscanning of our network (Requirement 4)
#This will also detect portsweeps
#Ignore outgoing portscans (The test machine actually runs an nmap scanner to identify net-facing services for an Edinburgh University research department)
preprocessor sfportscan: proto { all } scan_type { all } sense_level { medium } watch_ip { $LOCAL_NET } ignore_scanners { $LOCAL_NET }

#Detect activity by the worm (Requirement 5)
#As req.4 is not associated with a sid the sid numbers are not contiguous
#Note that you could also detect the worm being send over a TCP stream by searching for the (two byte per character) strings it outputs
alert tcp any any -> 10.10.10.1 1001 (content:"|48 65 4c 4c 6f|"; msg:"Worm phoning home detected"; sid:1000005;)