[Snort-users] Alert based on website URL

Nicholas Mavis (nmavis) nmavis at ...589...
Mon Jan 13 11:18:53 EST 2014


The rules you have would not work for what you want to achieve. Here some
some quick revisions to the rules you provided:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook http";
content:"Host|3A| facebook.com"; fast_pattern: only;)

alert udp $HOME_NET any -> any 53 (msg:"Facebook DNS";
byte_test:1,!&,0xF8,2; content:"|08|facebook|03|com|00|"; fast_pattern:

$HOME_NET is defined as your internal network you are monitoring and
$EXTERNAL_NET is typically set to "any". $HTTP_PORTS is set to the Snort
defaults in my configuration.

-Nick Mavis

On 1/12/14 1:04 PM, "Feroz Basir" <feroz.basir at ...11827...> wrote:

>Hi All,
>I'm trying to monitor user/program accessing certain website on port 80
>or different port. Would below rule work? Tried them but without any
>success. Perhaps i missed something.
>Alert tcp any any -> any 80 (MSG: "user/program accessing Facebook";
>content: "www.facebook.com")
>Or based on DNS query.
>Alert udp any any -> any 53 (MSG: "user/program accessing Facebook";
>content: "www.facebook.com")
>Feroz Basir
>CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>Learn Why More Businesses Are Choosing CenturyLink Cloud For
>Critical Workloads, Development Environments & Everything In Between.
>Get a Quote or Start a Free Trial Today.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
>Please visit http://blog.snort.org to stay current on all the latest
>Snort news!

More information about the Snort-users mailing list