[Snort-sigs] how can we alert on web visiting activity?

Weir, Jason jason.weir at ...3410...
Thu Nov 19 14:31:49 EST 2009


Have you use TCPDump or Wireshark to verify that the packet is actually
getting to the sensor? No packet - no alert...

	-----Original Message-----
	From: mary andrews [mailto:maryandrews22 at ...2420...] 
	Sent: Thursday, November 19, 2009 2:28 PM
	To: evilghost at ...3397...; Snort-sigs at lists.sourceforge.net
	Subject: Re: [Snort-sigs] how can we alert on web visiting
activity?
	
	
	we are pulling our hair on this one...
	 
	alert tcp any any -> any any (msg:"test eBay rule";
flow:established; content:"ebay"; nocase; rawbytes; sid:1000002;rev:1;)

	we are using snort 2.8.5.1 under win XP and the rawbytes didnt
help here either...

	 



	On Thu, Nov 19, 2009 at 2:01 PM, evilghost at ...3397...
<evilghost at ...3397...> wrote:
	

		What version of Snort are you using?  I have had issues
with content
		matching working correctly in the 2.8 branch (as have
others at Emerging
		Threats), I was able to get content matching to work as
expected by
		using the rawbytes option.  See section 3.5.3 in the
Snort manual.
		
		content:"ebay"; nocase; rawbytes;
		
		-evilghost
		


		mary andrews wrote:
		> Hello there, we have a testing.rules file with the
following 3 lines
		>
		> #testing.rules
		> alert icmp any any -> any any (msg:"$TESTING rule$";
sid:1000001;)
		> alert tcp any any -> any any (msg:"test eBay rule";
flow:established;
		> content:"ebay"; nocase; sid:1000002;rev:1;)
		> we put the rule as generic as we can, of course ebay
is just an example.
		>
		> ping any site produces the alert $TESTING rule$ on the
dos screen snort has
		> been started.
		>
		> But using Internet Explorer to go to ebay, does not
produce any alert.
		> Our question is, what part of a rule triggers web
visiting activity?
		>
		> thanks,
		> m
		>
		>
		
		>
------------------------------------------------------------------------
		>
		>
------------------------------------------------------------------------
------
		> Let Crystal Reports handle the reporting - Free
Crystal Reports 2008 30-Day
		> trial. Simplify your report design, integration and
deployment - and focus on
		> what you do best, core application coding. Discover
what's new with
		> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
		>
------------------------------------------------------------------------
		>
		> _______________________________________________
		> Snort-sigs mailing list
		> Snort-sigs at lists.sourceforge.net
		>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
		>
		


	
________________________________________________________________________
_____________________
	
	Please visit www.nhrs.org to subscribe to NHRS email
announcements and updates.

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091119/e1c12d41/attachment.html>


More information about the Snort-sigs mailing list