[Snort-sigs] how can we alert on web visiting activity?

Jason Brvenik jasonb at ...435...
Thu Nov 19 14:35:35 EST 2009


where are you accessing ebay from and where is snort in that equation,
what are the machines involved?

On Thu, Nov 19, 2009 at 2:27 PM, mary andrews <maryandrews22 at ...2420...> wrote:
> we are pulling our hair on this one...
>
> alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
> content:"ebay"; nocase; rawbytes; sid:1000002;rev:1;)
>
> we are using snort 2.8.5.1 under win XP and the rawbytes didnt help here
> either...
>
>
>
>
> On Thu, Nov 19, 2009 at 2:01 PM, evilghost at ...3397...
> <evilghost at ...3397...> wrote:
>>
>> What version of Snort are you using?  I have had issues with content
>> matching working correctly in the 2.8 branch (as have others at Emerging
>> Threats), I was able to get content matching to work as expected by
>> using the rawbytes option.  See section 3.5.3 in the Snort manual.
>>
>> content:"ebay"; nocase; rawbytes;
>>
>> -evilghost
>>
>>
>> mary andrews wrote:
>> > Hello there, we have a testing.rules file with the following 3 lines
>> >
>> > #testing.rules
>> > alert icmp any any -> any any (msg:"$TESTING rule$"; sid:1000001;)
>> > alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
>> > content:"ebay"; nocase; sid:1000002;rev:1;)
>> > we put the rule as generic as we can, of course ebay is just an example.
>> >
>> > ping any site produces the alert $TESTING rule$ on the dos screen snort
>> > has
>> > been started.
>> >
>> > But using Internet Explorer to go to ebay, does not produce any alert.
>> > Our question is, what part of a rule triggers web visiting activity?
>> >
>> > thanks,
>> > m
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> > 30-Day
>> > trial. Simplify your report design, integration and deployment - and
>> > focus on
>> > what you do best, core application coding. Discover what's new with
>> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> > ------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > Snort-sigs mailing list
>> > Snort-sigs at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> >
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>




More information about the Snort-sigs mailing list