[Snort-users] simple rule to alert when visiting a website

Rob Dixon rob.l.dixon at ...11827...
Tue Nov 17 11:25:06 EST 2009


Hi Mary,

There are some setup guides and other documentation @snort.org that cover
this subject.

There are a few ways to do this.

You could simply use a content match to look for "ebay.com", but this would
also trigger for any site that has that text.(false positives)

You could set a variable in the snort.conf and call it $ebay_servers and put
ebays net block in there? Then write a simple rules to match the headers
only. (more efficient)

Alert tcp any any -> ebay_servers any (msg:"Warning - EBAY Activity";)
something like that?

Or, use squid in passive mode.

Sounds like fun, good luck!

Rob

On Tue, Nov 17, 2009 at 10:49 AM, mary andrews <maryandrews22 at ...11827...>wrote:

> Forgive us, but we are evaluating the software and we are now learning it
> too,
> OK, I suppose you can call us newbies.
>
>
> we are trying to write simple rules, we have had some success so far,
> a little at a time, we are now trying to write a small rule to alert if
> someone
> is visiting a specific site, say www.ebay.com
>
> so far we have this in a file called testing.rules.
>
> # testing.rules
> alert icmp any any -> any any (msg:"$$$$$TESTING rule$$$$$"; sid:1000001;)
>
>  its rudimentary, we know, but its working ok. before we uncomment the
> config and include
> a bigger set of rules, we want to regresstion test them in their simplest
> form.
>
> if someone replies, and since I am not 100% sure how this list works yet,
> could you please copy me here? maryandrews22 at ...11827...
>
> many thanks,
> m
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Hackers for Charity Board Member
GPEN, C|HFI, ESSE-D, SnortCP, TNAP, TNCP, TECP, A+, whatever..

Bad news doesn't get any better with age.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091117/16665d51/attachment.html>


More information about the Snort-users mailing list