[Snort-users] Rule to detect search engines

waldo kitty wkitty42 at ...14940...
Mon Jul 1 10:32:45 EDT 2013

On 7/1/2013 07:20, Borja Luaces wrote:
> Hello all,
> I am updating some rules to detect phishing sites against our customer and I was
> wondering if someone has created a rule set to "disable" search engine impacts.
> I was firstly thinking about adding to each rule some pcre, one for each mayor
> search engine (google, bing, yahoo,...) but I think this is nonsense.

actually, in your case, that is the way to go...

> As second option I though about creating a white list but I have no access to
> create it, I am only allowed to create rules.
> Any other idea?

in your phishing rules, set a flowbit... then in your rules to detect if it is a 
search engine, unset that flowbit... at the end, one rule to check the 
flowbit... if it is still set, then fire the phishing alert otherwise it is a 
search engine and the phishing alert is not fired...

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list