[Snort-sigs] how can we alert on web visiting activity?
jason.weir at ...3410...
Thu Nov 19 13:49:20 EST 2009
rule 1000001 alerts on ICMP only
rule 1000002 alerts on TCP only
pings are ICMP and website access would be TCP not sure why your content
match for "ebay" is not working..
From: mary andrews [mailto:maryandrews22 at ...2420...]
Sent: Thursday, November 19, 2009 1:41 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] how can we alert on web visiting activity?
Hello there, we have a testing.rules file with the following 3
alert icmp any any -> any any (msg:"$TESTING rule$";
alert tcp any any -> any any (msg:"test eBay rule";
flow:established; content:"ebay"; nocase; sid:1000002;rev:1;)
we put the rule as generic as we can, of course ebay is just an
ping any site produces the alert $TESTING rule$ on the dos
screen snort has been started.
But using Internet Explorer to go to ebay, does not produce any
Our question is, what part of a rule triggers web visiting
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs