[Snort-users] Alert based on website URL

Feroz Basir feroz.basir at ...11827...
Mon Jan 13 11:32:21 EST 2014


Hi Nicholas,

Thanks for replying. FYI, Facebook.com is just an example. Would that work with other URL as well? 

What is that - Host|3A| ?

Care to teach me on how you got - byte_test:1,!&,0xF8,2;  ?

Thanks again. I have quite numbers of URL that I need to monitor and using different port number as well.

Regards,
Feroz Basir

> On 14 Jan 2014, at 00:18, "Nicholas Mavis (nmavis)" <nmavis at ...589...> wrote:
> 
> Feroz,
> 
> The rules you have would not work for what you want to achieve. Here some
> some quick revisions to the rules you provided:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook http";
> content:"Host|3A| facebook.com"; fast_pattern: only;)
> 
> alert udp $HOME_NET any -> any 53 (msg:"Facebook DNS";
> byte_test:1,!&,0xF8,2; content:"|08|facebook|03|com|00|"; fast_pattern:
> only;)
> 
> $HOME_NET is defined as your internal network you are monitoring and
> $EXTERNAL_NET is typically set to "any". $HTTP_PORTS is set to the Snort
> defaults in my configuration.
> 
> -Nick Mavis
> 
> 
> 
>> On 1/12/14 1:04 PM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>> 
>> Hi All,
>> 
>> I'm trying to monitor user/program accessing certain website on port 80
>> or different port. Would below rule work? Tried them but without any
>> success. Perhaps i missed something.
>> 
>> Alert tcp any any -> any 80 (MSG: "user/program accessing Facebook";
>> content: "www.facebook.com")
>> 
>> Or based on DNS query.
>> 
>> Alert udp any any -> any 53 (MSG: "user/program accessing Facebook";
>> content: "www.facebook.com")
>> 
>> Thanks.
>> 
>> Regards,
>> Feroz Basir
>> --------------------------------------------------------------------------
>> ----
>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>> Critical Workloads, Development Environments & Everything In Between.
>> Get a Quote or Start a Free Trial Today.
>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clkt
>> rk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
> 




More information about the Snort-users mailing list