[Snort-sigs] how can we alert on web visiting activity?

Weir, Jason jason.weir at ...3410...
Thu Nov 19 13:49:20 EST 2009


rule 1000001 alerts on ICMP only
rule 1000002 alerts on TCP only
 
pings are ICMP and website access would be TCP not sure why your content
match for "ebay" is not working..
 
-J 

	-----Original Message-----
	From: mary andrews [mailto:maryandrews22 at ...2420...] 
	Sent: Thursday, November 19, 2009 1:41 PM
	To: snort-sigs at lists.sourceforge.net
	Subject: [Snort-sigs] how can we alert on web visiting activity?
	
	

	Hello there, we have a testing.rules file with the following 3
lines

	#testing.rules
	alert icmp any any -> any any (msg:"$TESTING rule$";
sid:1000001;)
	alert tcp any any -> any any (msg:"test eBay rule";
flow:established; content:"ebay"; nocase; sid:1000002;rev:1;)

	we put the rule as generic as we can, of course ebay is just an
example.
	 
	ping any site produces the alert $TESTING rule$ on the dos
screen snort has been started.

	But using Internet Explorer to go to ebay, does not produce any
alert.

	Our question is, what part of a rule triggers web visiting
activity?

	thanks,
	m  

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091119/1d0f583e/attachment.html>


More information about the Snort-sigs mailing list