snort-1.0-lib is a set of example Snort rules. It's short, but gives a good overview of the basic rule types and how to use the pattern matcher properly. This version of snort-lib includes alot of new stuff.
d2a73cd5b6c76f16f4ead40cb0eb1d77071693461cc924cd7f57a3b3acb38082
# This file posits that you're trying to defend the 192.168.1.0 class C network
# which is an RFC 1918 address space. Change this to match your own network
# appropriately
# we're trying to log data to "sensitive" ports, plus alert on truly suspicious
# activity
# some of these things may not be suspicious in your network environment, but we
# run a fairly tight network (access wise) where I work, so most every alert
# rule for specific network rules shown here applies in my case
# if you need help writing a specific rule, feel free to drop me a line!
# -Marty (roesch@clark.net)
##################################
# alert on interesting packets
##################################
# look for stealth port scans/sweeps
alert tcp any any -> 192.168.1.0/24 any (msg:"SYN FIN Scan"; flags: SF;)
alert tcp any any -> 192.168.1.0/24 any (msg:"FIN Scan"; flags: F;)
alert tcp any any -> 192.168.1.0/24 any (msg:"NULL Scan"; flags: 0;)
alert tcp any any -> 192.168.1.0/24 any (msg:"XMAS Scan";flags: FPU;)
# find backdoor attempts
alert udp any any -> 192.168.1.0/24 31337 (msg:"Back Orifice";)
alert tcp any any -> 192.168.1.0/24 12345 (msg:"Netbus";)
alert tcp any any -> 192.168.1.0/24 12346 (msg:"Netbus";)
alert tcp any any -> 192.168.1.0/24 10752 (msg:"Linux mountd backdoor";)
alert udp any any -> 192.168.1.0/24 2140 (msg:"Deep Throat";)
alert udp any any -> 192.168.1.0/24 2989 (msg:"Rat backdoor";)
alert tcp any any -> 192.168.1.0/24 31337 (msg:"BIND Shell";)
alert udp any any -> 192.168.1.0/24 22 (msg:"PCAnywhere"; content:"NQ";)
alert udp any any -> 192.168.1.0/24 22 (msg:"PCAnywhere"; content:"ST";)
alert udp any any -> 192.168.1.0/24 5632 (msg:"PCAnywhere"; content:"ST";)
# example of the new ICMP detection options
alert icmp any any -> 192.168.1.0/24 any (msg:"Being Pinged"; itype: 8;)
# NT SNMP user list
alert udp any any -> 192.168.1.0/24 161 (msg:"NT user list"; content:"|2b 06 01 04 01 4d 01 02 19|";)
# IMAP buffer overflow
alert tcp any any -> 192.168.1.0/24 143 (msg:"IMAP buffer overflow!"; content:"|E8 C0FF FFFF|/bin/sh"; )
# named buffer overflow
alert tcp any any -> 192.168.1.0/24 53 (msg:"named buffer overflow!"; content:"|CD80 E8D7 FFFF FF|/bin/sh";)
# web attack detection example rule
alert tcp any any -> 192.168.1.0/24 80 (content:"/cgi-bin/phf"; msg:"PHF Attack!";)
# detect Traceroutes
alert icmp any any -> 192.168.1.0/24 any (msg:"Incoming Windows Traceroute"; itype: 8; TTL: 1;)
alert udp any any -> 192.168.1.0/24 any (msg:"Incoming Traceroute"; TTL: 1;)
# netbios crap
alert udp any any -> 192.168.1.0/24 137 (msg:"SMB Name Wildcard"; content:"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|";)
alert tcp any any -> 192.168.1.0/24 139 (msg:"Samba client access"; content:"|00|Unix|00|Samba";)
alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB CD..."; content:"\...|00 00 00|";)
alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB CD.."; content:"\..|2f 00 00 00|";)
alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB C$ access"; content:"\C$|00 41 3a 00|";)
alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB D$ access"; content:"\D$|00 41 3a 00|";)
alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB ADMIN$ access"; content:"\ADMIN$|00 41 3a 00|";)
# token DoS detector
alert udp 192.168.1.0/24 7 -> 192.168.1.0/24 19 (msg:"UDP bomb";)
alert udp 192.168.1.0/24 19 -> 192.168.1.0/24 7 (msg:"UDP bomb";)
# DNS Stuff
alert tcp any any -> 192.168.1.0/24 53 (msg:"DNS version grab"; content:"|07|version|04|bind";)
alert udp any any -> 192.168.1.0/24 53 (msg:"DNS version grab"; content:"|07|version|04|bind";)
alert tcp any any -> 192.168.1.0/24 53 (msg:"DNS Zone Transfer"; content:"|0000 FC|";)
alert udp any any -> 192.168.1.0/24 53 (msg:"DNS Zone Transfer"; content:"|0000 FC|";)
alert tcp any any -> 192.168.1.0/24 53 (msg:"DNS Any"; content:"|0000 FF|";)
alert udp any any -> 192.168.1.0/24 53 (msg:"DNS Any"; content:"|0000 FF|";)
# other interesting ports....
alert udp any any -> 192.168.1.0/24 161 (msg:"SNMP traffic";)
alert tcp any any -> 192.168.1.0/24 143 (msg:"IMAP traffic";)
alert tcp any any -> 192.168.1.0/24 512 (msg:"REXEC traffic";)
alert tcp any any -> 192.168.1.0/24 513 (msg:"RSH traffic";)
alert tcp any any -> 192.168.1.0/24 514 (msg:"RLOGIN traffic";)
alert udp any any -> 192.168.1.0/24 194 (msg:"IRC traffic";)
alert tcp any any -> 192.168.1.0/24 194 (msg:"IRC traffic";)
alert tcp any any -> 192.168.1.0/24 111 (msg:"Portmap traffic";)
alert udp any any -> 192.168.1.0/24 111 (msg:"Portmap traffic";)
alert tcp any any -> 192.168.1.0/24 32771 (msg:"Sun portmap traffic";)
alert udp any any -> 192.168.1.0/24 32771 (msg:"Sun portmap traffic";)
# alert on stuff going where it probably shouldn't be
alert tcp any 53 -> 192.168.1.0/24 :1024 (msg:"Source Port traffic";)
alert tcp any 25 -> 192.168.1.0/24 :1024 (msg:"Source Port traffic";)
#log all ICMP traffic
log icmp any any -> any any
#log interesting TCP/UDP traffic
#all tcp traffic below port 1024
log tcp any any -> 192.168.1.0/24 :1024
#grab xwindows traffic
log tcp any any -> 192.168.1.0/24 6000:6010
#high port RPC stuff too
log tcp any any -> 192.168.1.0/24 32000:33000
#do the same for UDP
log udp any any -> 192.168.1.0/24 :2000
log udp any any -> 192.168.1.0/24 32000:33000