[Snort-users] simple rule to alert when visiting a website

Joel Esler jesler at ...1935...
Tue Nov 17 11:03:53 EST 2009

So, your question is, how to write a rule to detect someone going to eBay?


On Tuesday, November 17, 2009, mary andrews <maryandrews22 at ...11827...> wrote:
> Forgive us, but we are evaluating the software and we are now learning it too,
> OK, I suppose you can call us newbies.
> we are trying to write simple rules, we have had some success so far,
> a little at a time, we are now trying to write a small rule to alert if someone
> is visiting a specific site, say www.ebay.com <http://www.ebay.com/>
> so far we have this in a file called testing.rules.
> # testing.rules
> alert icmp any any -> any any (msg:"$$$$$TESTING rule$$$$$"; sid:1000001;)
> its rudimentary, we know, but its working ok. before we uncomment the config and include
> a bigger set of rules, we want to regresstion test them in their simplest form.
> if someone replies, and since I am not 100% sure how this list works yet,
> could you please copy me here? maryandrews22 at ...11827... <javascript:_e({}, 'cvml', 'maryandrews22 at ...11827...');>
> many thanks,
> m

Joel Esler | 302-223-5974 | gtalk: jesler at ...1935...

More information about the Snort-users mailing list