[Snort-sigs] filter http traffic

Balasubramaniam Natarajan bala150985 at ...2420...
Sun May 20 14:07:30 EDT 2012


One small question I doubt it that is possible because when I type in
google.com the browser automatically switches over to
https://www.google.co.in/ so in that case we may not be able to trace it.

@kenterer1, Does you browser switch to https on google.com ?

On Sun, May 20, 2012 at 9:02 PM, Joel Esler <jesler at ...435...> wrote:

> Yes, it is possible. I suggest capturing a packet flow of you doing the
> search, then you should be able to see the structure of the query much
> better.
>
> --
> Joel Esler
>
> On May 19, 2012, at 9:26 AM, Sdflkaj Jksdfj <kenterer1 at ...3680...> wrote:
>
> Hey there,
>
> i want to filter search requests to e.g. google which have certain
> keywords.
>
> my suggestion is the following:
>
>  alert tcp any any -> any any (pcre: "/(keyword1|keyword2)*/"; msg:
> "someone searches for rootkit or malware in google bing or yahooo"; sid:
> 1000004;rev:1;)
>
>  Since i want to be able to use regular expressions i use PCRE. However
> this line only gives alarm if i use the "url bar" of the browser to search
> for   keywords. if i visit google.com and type the keywords in the input
> box, there is no alarm  going of . : /
>
> i would appreciate any inspiration.
>
> cheers
> kenterer
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120520/3df27d00/attachment.html>


More information about the Snort-sigs mailing list