[Snort-users] Alert based on website URL

Feroz Basir feroz.basir at ...11827...
Mon Jan 13 21:34:30 EST 2014


Hi Nicholas,

I copy n paste the rule into local.rules file. I still couldn't see any alert when I accessed www.facebook.com. Can you help, please? 

Thanks again.

Regards,
Feroz Basir

> On 14 Jan 2014, at 02:40, "Nicholas Mavis (nmavis)" <nmavis at ...589...> wrote:
> 
> Yes, they would work if you altered the content matches correctly. The
> byte_test verifies that the packet is a valid DNS request and Host|3A|
> would be part of the HTTP headers. If you have further questions regarding
> those content matches, I would recommend reading into DNS and HTTP
> protocols along with their typical header structure.
> 
>> On 1/13/14 11:32 AM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>> 
>> Hi Nicholas,
>> 
>> Thanks for replying. FYI, Facebook.com is just an example. Would that
>> work with other URL as well?
>> 
>> What is that - Host|3A| ?
>> 
>> Care to teach me on how you got - byte_test:1,!&,0xF8,2;  ?
>> 
>> Thanks again. I have quite numbers of URL that I need to monitor and
>> using different port number as well.
>> 
>> Regards,
>> Feroz Basir
>> 
>>> On 14 Jan 2014, at 00:18, "Nicholas Mavis (nmavis)" <nmavis at ...589...>
>>> wrote:
>>> 
>>> Feroz,
>>> 
>>> The rules you have would not work for what you want to achieve. Here
>>> some
>>> some quick revisions to the rules you provided:
>>> 
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook
>>> http";
>>> content:"Host|3A| facebook.com"; fast_pattern: only;)
>>> 
>>> alert udp $HOME_NET any -> any 53 (msg:"Facebook DNS";
>>> byte_test:1,!&,0xF8,2; content:"|08|facebook|03|com|00|"; fast_pattern:
>>> only;)
>>> 
>>> $HOME_NET is defined as your internal network you are monitoring and
>>> $EXTERNAL_NET is typically set to "any". $HTTP_PORTS is set to the Snort
>>> defaults in my configuration.
>>> 
>>> -Nick Mavis
>>> 
>>> 
>>> 
>>>> On 1/12/14 1:04 PM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>>>> 
>>>> Hi All,
>>>> 
>>>> I'm trying to monitor user/program accessing certain website on port 80
>>>> or different port. Would below rule work? Tried them but without any
>>>> success. Perhaps i missed something.
>>>> 
>>>> Alert tcp any any -> any 80 (MSG: "user/program accessing Facebook";
>>>> content: "www.facebook.com")
>>>> 
>>>> Or based on DNS query.
>>>> 
>>>> Alert udp any any -> any 53 (MSG: "user/program accessing Facebook";
>>>> content: "www.facebook.com")
>>>> 
>>>> Thanks.
>>>> 
>>>> Regards,
>>>> Feroz Basir
>>>> 
>>>> ------------------------------------------------------------------------
>>>> --
>>>> ----
>>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>>>> Critical Workloads, Development Environments & Everything In Between.
>>>> Get a Quote or Start a Free Trial Today.
>>>> 
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.cl
>>>> kt
>>>> rk
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
> 




More information about the Snort-users mailing list