[Snort-users] Help with snort rule and notifications

Jeremy Hoel jthoel at ...11827...
Sat Feb 15 21:56:15 EST 2014


Is this the rule exactly as you put it in?  You have the ip in twice and it
should be 'ip<space>port'   where port is probably [80,443] depending on
how you access the site.
On Feb 15, 2014 5:11 PM, "Trever Leingod" <treverleingod at ...125...> wrote:

> Thanks for the input, Ed. I have tried what you suggested.
>
> I made a new rule based on the rules already present:
>
> "alert tcp any any -> 173.254.252.81 173.254.252.81 (msg: " **Alert
> gtx0.com has been opened**")"
>
> (IP used above is the one for www.gtx0.com)
>
> I used command "snort -d" and opened up gtx0.com in a browser but no
> notifications or logs were given. Any further tips, anyone?
>
> --Trever Leingod--
>
>
>
> ------------------------------
> CC: snort-users at lists.sourceforge.net
> From: SnortFan at ...131...
> Subject: Re: [Snort-users] Help with snort rule and notifications
> Date: Sat, 15 Feb 2014 11:02:14 -0500
> To: treverleingod at ...125...
>
> Here's a quick and dirty way. You can take another rule and copy it. Then
> you have to pick a Sid that's not in use.
>
> Change the msg content to the URL.
>
> If you create a new rules file, you will have to include it in your
> snort.conf.
>
> If you using something like barnyard2 there's more to do.
>
> Cheers,
> Ed
>
>
>
> Sent from a mobile device.
>
> On Feb 14, 2014, at 4:33 PM, Trever Leingod <treverleingod at ...125...>
> wrote:
>
>  I am quite new to using Snort.
>
>
> I was hoping to get pointers on how write a rule to get notification if a
> certain website, like say www.facebook.com, is opened in a web browser,
> and how would I get this notification/alert to show.
>
>
> Trever Leingod
>
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140215/39f64575/attachment.html>


More information about the Snort-users mailing list