[Snort-users] Alert based on website URL

Nicholas Mavis (nmavis) nmavis at ...589...
Mon Jan 13 13:40:56 EST 2014


Yes, they would work if you altered the content matches correctly. The
byte_test verifies that the packet is a valid DNS request and Host|3A|
would be part of the HTTP headers. If you have further questions regarding
those content matches, I would recommend reading into DNS and HTTP
protocols along with their typical header structure.

On 1/13/14 11:32 AM, "Feroz Basir" <feroz.basir at ...11827...> wrote:

>Hi Nicholas,
>
>Thanks for replying. FYI, Facebook.com is just an example. Would that
>work with other URL as well?
>
>What is that - Host|3A| ?
>
>Care to teach me on how you got - byte_test:1,!&,0xF8,2;  ?
>
>Thanks again. I have quite numbers of URL that I need to monitor and
>using different port number as well.
>
>Regards,
>Feroz Basir
>
>> On 14 Jan 2014, at 00:18, "Nicholas Mavis (nmavis)" <nmavis at ...589...>
>>wrote:
>> 
>> Feroz,
>> 
>> The rules you have would not work for what you want to achieve. Here
>>some
>> some quick revisions to the rules you provided:
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook
>>http";
>> content:"Host|3A| facebook.com"; fast_pattern: only;)
>> 
>> alert udp $HOME_NET any -> any 53 (msg:"Facebook DNS";
>> byte_test:1,!&,0xF8,2; content:"|08|facebook|03|com|00|"; fast_pattern:
>> only;)
>> 
>> $HOME_NET is defined as your internal network you are monitoring and
>> $EXTERNAL_NET is typically set to "any". $HTTP_PORTS is set to the Snort
>> defaults in my configuration.
>> 
>> -Nick Mavis
>> 
>> 
>> 
>>> On 1/12/14 1:04 PM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>>> 
>>> Hi All,
>>> 
>>> I'm trying to monitor user/program accessing certain website on port 80
>>> or different port. Would below rule work? Tried them but without any
>>> success. Perhaps i missed something.
>>> 
>>> Alert tcp any any -> any 80 (MSG: "user/program accessing Facebook";
>>> content: "www.facebook.com")
>>> 
>>> Or based on DNS query.
>>> 
>>> Alert udp any any -> any 53 (MSG: "user/program accessing Facebook";
>>> content: "www.facebook.com")
>>> 
>>> Thanks.
>>> 
>>> Regards,
>>> Feroz Basir
>>> 
>>>------------------------------------------------------------------------
>>>--
>>> ----
>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>>> Critical Workloads, Development Environments & Everything In Between.
>>> Get a Quote or Start a Free Trial Today.
>>> 
>>>http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.cl
>>>kt
>>> rk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>> 





More information about the Snort-users mailing list