[Snort-sigs] how can we alert on web visiting activity?
maryandrews22 at ...2420...
Thu Nov 19 13:40:58 EST 2009
Hello there, we have a testing.rules file with the following 3 lines
alert icmp any any -> any any (msg:"$TESTING rule$"; sid:1000001;)
alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
content:"ebay"; nocase; sid:1000002;rev:1;)
we put the rule as generic as we can, of course ebay is just an example.
ping any site produces the alert $TESTING rule$ on the dos screen snort has
But using Internet Explorer to go to ebay, does not produce any alert.
Our question is, what part of a rule triggers web visiting activity?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs