[Snort-sigs] how can we alert on web visiting activity?

evilghost at ...3397... evilghost at ...3397...
Thu Nov 19 14:01:59 EST 2009


What version of Snort are you using?  I have had issues with content 
matching working correctly in the 2.8 branch (as have others at Emerging 
Threats), I was able to get content matching to work as expected by 
using the rawbytes option.  See section 3.5.3 in the Snort manual.

content:"ebay"; nocase; rawbytes;

-evilghost


mary andrews wrote:
> Hello there, we have a testing.rules file with the following 3 lines
>
> #testing.rules
> alert icmp any any -> any any (msg:"$TESTING rule$"; sid:1000001;)
> alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
> content:"ebay"; nocase; sid:1000002;rev:1;)
> we put the rule as generic as we can, of course ebay is just an example.
>
> ping any site produces the alert $TESTING rule$ on the dos screen snort has
> been started.
>
> But using Internet Explorer to go to ebay, does not produce any alert.
> Our question is, what part of a rule triggers web visiting activity?
>
> thanks,
> m
>
>   
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
> trial. Simplify your report design, integration and deployment - and focus on 
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>   




More information about the Snort-sigs mailing list