[Snort-sigs] how can we alert on web visiting activity?

Weir, Jason jason.weir at ...3410...
Thu Nov 19 13:49:20 EST 2009

rule 1000001 alerts on ICMP only
rule 1000002 alerts on TCP only
pings are ICMP and website access would be TCP not sure why your content
match for "ebay" is not working..

	-----Original Message-----
	From: mary andrews [mailto:maryandrews22 at ...2420...] 
	Sent: Thursday, November 19, 2009 1:41 PM
	To: snort-sigs at lists.sourceforge.net
	Subject: [Snort-sigs] how can we alert on web visiting activity?

	Hello there, we have a testing.rules file with the following 3

	alert icmp any any -> any any (msg:"$TESTING rule$";
	alert tcp any any -> any any (msg:"test eBay rule";
flow:established; content:"ebay"; nocase; sid:1000002;rev:1;)

	we put the rule as generic as we can, of course ebay is just an
	ping any site produces the alert $TESTING rule$ on the dos
screen snort has been started.

	But using Internet Explorer to go to ebay, does not produce any

	Our question is, what part of a rule triggers web visiting



Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091119/1d0f583e/attachment.html>

More information about the Snort-sigs mailing list