[Snort-sigs] how can we alert on web visiting activity?

mary andrews maryandrews22 at ...2420...
Thu Nov 19 13:40:58 EST 2009


Hello there, we have a testing.rules file with the following 3 lines

#testing.rules
alert icmp any any -> any any (msg:"$TESTING rule$"; sid:1000001;)
alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
content:"ebay"; nocase; sid:1000002;rev:1;)
we put the rule as generic as we can, of course ebay is just an example.

ping any site produces the alert $TESTING rule$ on the dos screen snort has
been started.

But using Internet Explorer to go to ebay, does not produce any alert.
Our question is, what part of a rule triggers web visiting activity?

thanks,
m
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091119/e0321537/attachment.html>


More information about the Snort-sigs mailing list