[Snort-sigs] how can we alert on web visiting activity?

Jason Brvenik jasonb at ...435...
Thu Nov 19 14:46:27 EST 2009


please try starting snort without checksum checking. The snort manual
has information about how to do that and to understand why check out
checksum offloading.

On Thu, Nov 19, 2009 at 2:40 PM, mary andrews <maryandrews22 at ...2420...> wrote:
> just one machine in all, running windows xp, then snort 2.8.5.1
>
> when we open a dos window and issue any ping, it alerts the dos screen onto
> which snort is running,
> and it also gets logged.
>
> Now from that machine we open an instance of internet explorer 8, and visit
> www.ebay.com
>
> we expect to see the alert on the dos screen(or logged in snort) just as the
> alert from ping.
>
> should we try something else?
>
> On Thu, Nov 19, 2009 at 2:35 PM, Jason Brvenik <jasonb at ...435...>
> wrote:
>>
>> where are you accessing ebay from and where is snort in that equation,
>> what are the machines involved?
>>
>> On Thu, Nov 19, 2009 at 2:27 PM, mary andrews <maryandrews22 at ...2420...>
>> wrote:
>> > we are pulling our hair on this one...
>> >
>> > alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
>> > content:"ebay"; nocase; rawbytes; sid:1000002;rev:1;)
>> >
>> > we are using snort 2.8.5.1 under win XP and the rawbytes didnt help here
>> > either...
>> >
>> >
>> >
>> >
>> > On Thu, Nov 19, 2009 at 2:01 PM, evilghost at ...3397...
>> > <evilghost at ...3397...> wrote:
>> >>
>> >> What version of Snort are you using?  I have had issues with content
>> >> matching working correctly in the 2.8 branch (as have others at
>> >> Emerging
>> >> Threats), I was able to get content matching to work as expected by
>> >> using the rawbytes option.  See section 3.5.3 in the Snort manual.
>> >>
>> >> content:"ebay"; nocase; rawbytes;
>> >>
>> >> -evilghost
>> >>
>> >>
>> >> mary andrews wrote:
>> >> > Hello there, we have a testing.rules file with the following 3 lines
>> >> >
>> >> > #testing.rules
>> >> > alert icmp any any -> any any (msg:"$TESTING rule$"; sid:1000001;)
>> >> > alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
>> >> > content:"ebay"; nocase; sid:1000002;rev:1;)
>> >> > we put the rule as generic as we can, of course ebay is just an
>> >> > example.
>> >> >
>> >> > ping any site produces the alert $TESTING rule$ on the dos screen
>> >> > snort
>> >> > has
>> >> > been started.
>> >> >
>> >> > But using Internet Explorer to go to ebay, does not produce any
>> >> > alert.
>> >> > Our question is, what part of a rule triggers web visiting activity?
>> >> >
>> >> > thanks,
>> >> > m
>> >> >
>> >> >
>> >> >
>> >> > ------------------------------------------------------------------------
>> >> >
>> >> >
>> >> >
>> >> > ------------------------------------------------------------------------------
>> >> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> >> > 30-Day
>> >> > trial. Simplify your report design, integration and deployment - and
>> >> > focus on
>> >> > what you do best, core application coding. Discover what's new with
>> >> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> >> >
>> >> > ------------------------------------------------------------------------
>> >> >
>> >> > _______________________________________________
>> >> > Snort-sigs mailing list
>> >> > Snort-sigs at lists.sourceforge.net
>> >> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> >> >
>> >
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> > 30-Day
>> > trial. Simplify your report design, integration and deployment - and
>> > focus
>> > on
>> > what you do best, core application coding. Discover what's new with
>> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> > _______________________________________________
>> > Snort-sigs mailing list
>> > Snort-sigs at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> >
>> >
>
>




More information about the Snort-sigs mailing list