[Snort-users] Rule to detect search engines
wkitty42 at ...14940...
Mon Jul 1 10:32:45 EDT 2013
On 7/1/2013 07:20, Borja Luaces wrote:
> Hello all,
> I am updating some rules to detect phishing sites against our customer and I was
> wondering if someone has created a rule set to "disable" search engine impacts.
> I was firstly thinking about adding to each rule some pcre, one for each mayor
> search engine (google, bing, yahoo,...) but I think this is nonsense.
actually, in your case, that is the way to go...
> As second option I though about creating a white list but I have no access to
> create it, I am only allowed to create rules.
> Any other idea?
in your phishing rules, set a flowbit... then in your rules to detect if it is a
search engine, unset that flowbit... at the end, one rule to check the
flowbit... if it is still set, then fire the phishing alert otherwise it is a
search engine and the phishing alert is not fired...
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-users