[Snort-users] Create rule to check illegal web access

Josh Little josh at ...14998...
Thu Jul 19 13:15:23 EDT 2012


On 7/19/2012 8:59 AM, Antonin wrote:
> thanks for your answer.
> I have a proxy server but my goal is not to block this kind of traffic
> (it's already the case with the proxy).
>
> I just want to be alerted when a user (or a malware, etc...) try to
> reach this kind of website.
> We have a SIEM tool, and we want to have an alert.
>
Are you collecting your proxy logs into the SIEM tool? Couldn't your
SIEM just alert you when a specific category of site is observed or
acted upon? If you've already got the tools, why reinvent the wheel?

Alerting based upon seeing a keyword in a HTTP packet will create a lot
of noise. Reading an article on P2P legislation in the EU on Techdirt
would probably trigger your initial rule example and in no way be a
violation of your policy. Unless you are tracking the URL accessed or
have some other method to verify each result, you may not even be able
to efficiently weed out the FPs from the TPs.

--ZT

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 332 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120719/05b984ad/attachment.sig>


More information about the Snort-users mailing list