[Snort-users] simple rule to alert when visiting a website
jesler at ...1935...
Tue Nov 17 11:44:27 EST 2009
Actually ip lists aren't terribly as speedy as a simple content match.
On Tuesday, November 17, 2009, Rob Dixon <rob.l.dixon at ...11827...> wrote:
> Hi Mary,
> There are some setup guides and other documentation @snort.org that cover this subject.
> There are a few ways to do this.
> You could simply use a content match to look for "ebay.com", but this would also trigger for any site that has that text.(false positives)
> You could set a variable in the snort.conf and call it $ebay_servers and put ebays net block in there? Then write a simple rules to match the headers only. (more efficient)
> Alert tcp any any -> ebay_servers any (msg:"Warning - EBAY Activity";) something like that?
> Or, use squid in passive mode.
> Sounds like fun, good luck!
> Forgive us, but we are evaluating the software and we are now learning it too,
> OK, I suppose you can call us newbies.
> we are trying to write simple rules, we have had some success so far,
> a little at a time, we are now trying to write a small rule to alert if someone
> is visiting a specific site, say www.ebay.com <http://www.ebay.com/>
> so far we have this in a file called testing.rules.
> # testing.rules
> alert icmp any any -> any any (msg:"$$$$$TESTING rule$$$$$"; sid:1000001;)
> its rudimentary, we know, but its working ok. before we uncomment the config and include
> a bigger set of rules, we want to regresstion test them in their simplest form.
> if someone replies, and since I am not 100% sure how this list works yet,
> many thanks,
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Hackers for Charity Board Member
> GPEN, C|HFI, ESSE-D, SnortCP, TNAP, TNCP, TECP, A+, whatever..
> Bad news doesn't get any better with age.
Joel Esler | 302-223-5974 | gtalk: jesler at ...1935...
More information about the Snort-users