[Snort-users] Help with a new rule to detect web traffic

Chris Hoover revoohc at ...10743...
Tue Feb 3 17:20:04 EST 2004


I need some help writing a new rule.  Where I work, we are running an
internet proxy server (running squid).  However, we also have an open
firewall allowing anyone who configures their browser to bypass the
proxy can go anywhere they want (don't ask on this choice).  

Anyway, we are working a plan to close this open hole to the internet. 
In order to get a scope on the problem, I need to get some sort of a
count as to how many machines are bypassing the proxy.  Please help me
get this rule written.

Basicaly, I need the rule to state:
anyone not using the proxy on any port going to the internet, but not a
extra_net on port 80 -> log

Here is what I have tried.  - EXTRA_NET is internet sites anyone can get
to (ip's changed to bogus ip's to protect the guilty and the innocent.
:) ).
var EXTRA_NET [4.5.6.7, 8.9.10.11, 12.13.14.15, 16.17.18.19,
20.21.22.23, 24.25.26.27, 10.30.0.0/16, 28.29.0.0/16, 30.31.32.0/24,
33.34.35.0/24, 36.37.38.0/24]
var PROXY_SERVER [1.2.3.4]
alert ip $HOME_NET!$PROXY_SERVER any -> $EXTERNAL_NET!$EXTRA_NET 80
(msg:"NON PROXY WEB ACCESS";)

Thanks for any help getting this rule to work.

chris






More information about the Snort-users mailing list