[Snort-users] Alert on web traffic instead of IP Address?

Isherwood, Jeffrey - AES Jeffrey.Isherwood at ...14632...
Tue Aug 11 10:32:11 EDT 2009

I have snort rules that are looking for traffic to certain websites, based upon the IP Address of the destination...

However I would like to create a few rules that look for traffic headed to a website that might be using Dynamic DNS (or fast flux) and so I do not know the IP Address of the dst host.

For the IP Address alerts I use the following rule:

alert tcp $HOME_NET any -> $MALICIOUS_IP any (msg:"Malicious traffic alert"; flow: established; classtype: policy-violation; priority:669; sid:2009072103; rev:2;)

Where $HOME_NET is my internal network and $MALICIOUS_IP is the IP Address of a site that we have deemed to be dangerous.  I don't think that I can put a website name in the variables... and with Dynamic DNS and FastFlux changing the IPs I can't figure out how to alert on malicious sites being hidden behind the changing IP addresses.

Is it even possible?

This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090811/f26734a8/attachment.html>

More information about the Snort-users mailing list