[Snort-users] Alert on web traffic instead of IP Address?

Joel Esler jesler at ...1935...
Tue Aug 11 10:40:55 EDT 2009


Correct, it is *not* possible to put hostnames in a rule.  It's probably
better to write a rule on the content of the traffic than to try and track
an IP.
Or, use the IP blacklist patch from Marty.

J

On Tue, Aug 11, 2009 at 10:32 AM, Isherwood, Jeffrey - AES <
Jeffrey.Isherwood at ...14632...> wrote:

>  I have snort rules that are looking for traffic to certain websites,
> based upon the IP Address of the destination…
>
>
>
> However I would like to create a few rules that look for traffic headed to
> a website that might be using Dynamic DNS (or fast flux) and so I do not
> know the IP Address of the dst host.
>
>
>
> For the IP Address alerts I use the following rule:
>
>
>
> alert tcp $HOME_NET any -> $MALICIOUS_IP any (msg:"Malicious traffic
> alert"; flow: established; classtype: policy-violation; priority:669;
> sid:2009072103; rev:2;)
>
>
>
> Where $HOME_NET is my internal network and $MALICIOUS_IP is the IP Address
> of a site that we have deemed to be dangerous.  I don’t think that I can put
> a website name in the variables… and with Dynamic DNS and FastFlux changing
> the IPs I can’t figure out how to alert on malicious sites being hidden
> behind the changing IP addresses.
>
>
>
> Is it even possible?
>
> ------------------------------
> This e-mail and any files transmitted with it may be proprietary and are
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this e-mail in error please notify the
> sender.
> Please note that any views or opinions presented in this e-mail are solely
> those of the author and do not necessarily represent those of ITT
> Corporation. The recipient should check this e-mail and any attachments for
> the presence of viruses. ITT accepts no liability for any damage caused by
> any virus transmitted by this e-mail.
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

-- Joel Esler | Sourcefire | Google Voice: 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090811/50522b6d/attachment.html>


More information about the Snort-users mailing list