[Snort-users] Fwd: simple rule to alert when visiting a website

Joel Esler jesler at ...1935...
Tue Nov 17 13:52:49 EST 2009


---------- Forwarded message ----------
From: mary andrews <maryandrews22 at ...11827...>
Date: Tue, Nov 17, 2009 at 12:49 PM
Subject: Re: [Snort-users] simple rule to alert when visiting a website
To: Joel Esler <jesler at ...1935...>


We promise to hit the docs when things are more confirmed, first we want to
convince the upstairs.
At this stage we dont really care for efficiency, we just want to show some
results so somone can sign for the $OK$,
if you know what we mean. :-)

Now,
1. We put this line here in a rules file which I included in my config.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"test eBay rule";
flow:to_server,established; content:"eBay.com"; nocase; sid:10000002;
rev:1;)
2. We also added one line only with the number 1000002 at the bottom of file
sid-msg.map
3. We restarted snort, but when I use ie to go to www.ebay.com, no alerts
are displayed on teh dos window.

What are we doing wrong?

thanks,
m



On Tue, Nov 17, 2009 at 11:43 AM, Joel Esler <jesler at ...1935...> wrote:

> There are plenty of docs to learn how to do this on snort.org, as well
> as being included with the Snort software that you downloaded.
>
> I don't know how you intend to perform "regression" testing on the
> rules. But let us know how that works out.
>
> Alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"test eBay
> rule"; flow:to_server,established; content:"eBay.com"; nocase;
> sid:1000000; rev:1;)
>
> is a more proper way to do what you want.
>
> Ip rules = generally bad
> any any rules = generally bad
>
> there are all kinds of webinars, white papers, and instructions to
> help you do what you want on Snort.org. I would encourage you to check
> those out as the rule I wrote above will fit only a very specific
> service and function.
>
> J
> -written on a cell phone
>
>
>
> On Tuesday, November 17, 2009, mary andrews <maryandrews22 at ...11827...>
> wrote:
> > well, I am using ebay.com as an example, but basically yes.
> >
> > On Tue, Nov 17, 2009 at 11:03 AM, Joel Esler <jesler at ...1935... <javascript:_e({},
> 'cvml', 'jesler at ...1935...');>> wrote:
> > So, your question is, how to write a rule to detect someone going to
> eBay?
> >
> > J
> >
> > On Tuesday, November 17, 2009, mary andrews <maryandrews22 at ...11827... <javascript:_e({},
> 'cvml', 'maryandrews22 at ...11827...');>> wrote:
> >> Forgive us, but we are evaluating the software and we are now learning
> it too,
> >> OK, I suppose you can call us newbies.
> >>
> >>
> >> we are trying to write simple rules, we have had some success so far,
> >> a little at a time, we are now trying to write a small rule to alert if
> someone
> >> is visiting a specific site, say www.ebay.com <http://www.ebay.com/> <
> http://www.ebay.com/>
> >>
> >> so far we have this in a file called testing.rules.
> >>
> >> # testing.rules
> >> alert icmp any any -> any any (msg:"$$$$$TESTING rule$$$$$";
> sid:1000001;)
> >>
> >>
> >> its rudimentary, we know, but its working ok. before we uncomment the
> config and include
> >> a bigger set of rules, we want to regresstion test them in their
> simplest form.
> >>
> >> if someone replies, and since I am not 100% sure how this list works
> yet,
> >> could you please copy me here? maryandrews22 at ...11827... <javascript:_e({},
> 'cvml', 'maryandrews22 at ...11827...');> <javascript:_e({}, 'cvml', '
> maryandrews22 at ...11827... <javascript:_e({}, 'cvml', '
> maryandrews22 at ...11827...');>');>
> >>
> >> many thanks,
> >> m
> >>
> >
> > --
> > Joel Esler | 302-223-5974 | gtalk: jesler at ...1935... <javascript:_e({},
> 'cvml', 'jesler at ...1935...');>
> >
> >
>
> --
> Joel Esler | 302-223-5974 | gtalk: jesler at ...1935...
>




-- 
Joel Esler | 302-223-5974 | gtalk: jesler at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091117/a09eb58a/attachment.html>


More information about the Snort-users mailing list