[Snort-users] Alert based on website URL

Nicholas Mavis (nmavis) nmavis at ...589...
Mon Jan 13 11:18:53 EST 2014


Feroz,

The rules you have would not work for what you want to achieve. Here some
some quick revisions to the rules you provided:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook http";
content:"Host|3A| facebook.com"; fast_pattern: only;)

alert udp $HOME_NET any -> any 53 (msg:"Facebook DNS";
byte_test:1,!&,0xF8,2; content:"|08|facebook|03|com|00|"; fast_pattern:
only;)

$HOME_NET is defined as your internal network you are monitoring and
$EXTERNAL_NET is typically set to "any". $HTTP_PORTS is set to the Snort
defaults in my configuration.

-Nick Mavis



On 1/12/14 1:04 PM, "Feroz Basir" <feroz.basir at ...11827...> wrote:

>Hi All,
>
>I'm trying to monitor user/program accessing certain website on port 80
>or different port. Would below rule work? Tried them but without any
>success. Perhaps i missed something.
>
>Alert tcp any any -> any 80 (MSG: "user/program accessing Facebook";
>content: "www.facebook.com")
>
>Or based on DNS query.
>
>Alert udp any any -> any 53 (MSG: "user/program accessing Facebook";
>content: "www.facebook.com")
>
>Thanks.
>
>Regards,
>Feroz Basir
>--------------------------------------------------------------------------
>----
>CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>Learn Why More Businesses Are Choosing CenturyLink Cloud For
>Critical Workloads, Development Environments & Everything In Between.
>Get a Quote or Start a Free Trial Today.
>http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clkt
>rk
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest
>Snort news!





More information about the Snort-users mailing list