I am currently trying to configure the Snort rules to detect SMTP, HTTP and DNS traffic. Is this setup correctly?
alert icmp any any -> $HOME_NET any (msg: "ICMP connection attempt"; sid:100000$
alert tcp any any -> $HOME_NET 80 (msg:"HTTP connection attempt"; sid:1000003; $
alert udp any any -> 10.8.9.39 any (msg: "DNS connection attempt"; sid:1000004;$
alert tcp $SMTP_SERVERS any -> $HOME_NET any (msg:"SMTP connection attempt"; si$
These rules ended up being correct. The documentation can be found at: https://www.snort.org/documents