[Snort-users] Alert based on website URL

Feroz Basir feroz.basir at ...11827...
Mon Jan 20 12:24:25 EST 2014


Hi All,

Anyone could help me on my basic snort rule, please? I've tried a few combination and nothing worked for me. Thanks.

Regards,
Feroz Basir

> On 14 Jan 2014, at 10:34, Feroz Basir <feroz.basir at ...11827...> wrote:
> 
> Hi Nicholas,
> 
> I copy n paste the rule into local.rules file. I still couldn't see any alert when I accessed www.facebook.com. Can you help, please? 
> 
> Thanks again.
> 
> Regards,
> Feroz Basir
> 
>> On 14 Jan 2014, at 02:40, "Nicholas Mavis (nmavis)" <nmavis at ...589...> wrote:
>> 
>> Yes, they would work if you altered the content matches correctly. The
>> byte_test verifies that the packet is a valid DNS request and Host|3A|
>> would be part of the HTTP headers. If you have further questions regarding
>> those content matches, I would recommend reading into DNS and HTTP
>> protocols along with their typical header structure.
>> 
>>> On 1/13/14 11:32 AM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>>> 
>>> Hi Nicholas,
>>> 
>>> Thanks for replying. FYI, Facebook.com is just an example. Would that
>>> work with other URL as well?
>>> 
>>> What is that - Host|3A| ?
>>> 
>>> Care to teach me on how you got - byte_test:1,!&,0xF8,2;  ?
>>> 
>>> Thanks again. I have quite numbers of URL that I need to monitor and
>>> using different port number as well.
>>> 
>>> Regards,
>>> Feroz Basir
>>> 
>>>> On 14 Jan 2014, at 00:18, "Nicholas Mavis (nmavis)" <nmavis at ...589...>
>>>> wrote:
>>>> 
>>>> Feroz,
>>>> 
>>>> The rules you have would not work for what you want to achieve. Here
>>>> some
>>>> some quick revisions to the rules you provided:
>>>> 
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook
>>>> http";
>>>> content:"Host|3A| facebook.com"; fast_pattern: only;)
>>>> 
>>>> alert udp $HOME_NET any -> any 53 (msg:"Facebook DNS";
>>>> byte_test:1,!&,0xF8,2; content:"|08|facebook|03|com|00|"; fast_pattern:
>>>> only;)
>>>> 
>>>> $HOME_NET is defined as your internal network you are monitoring and
>>>> $EXTERNAL_NET is typically set to "any". $HTTP_PORTS is set to the Snort
>>>> defaults in my configuration.
>>>> 
>>>> -Nick Mavis
>>>> 
>>>> 
>>>> 
>>>>> On 1/12/14 1:04 PM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>>>>> 
>>>>> Hi All,
>>>>> 
>>>>> I'm trying to monitor user/program accessing certain website on port 80
>>>>> or different port. Would below rule work? Tried them but without any
>>>>> success. Perhaps i missed something.
>>>>> 
>>>>> Alert tcp any any -> any 80 (MSG: "user/program accessing Facebook";
>>>>> content: "www.facebook.com")
>>>>> 
>>>>> Or based on DNS query.
>>>>> 
>>>>> Alert udp any any -> any 53 (MSG: "user/program accessing Facebook";
>>>>> content: "www.facebook.com")
>>>>> 
>>>>> Thanks.
>>>>> 
>>>>> Regards,
>>>>> Feroz Basir
>>>>> 
>>>>> ------------------------------------------------------------------------
>>>>> --
>>>>> ----
>>>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>>>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>>>>> Critical Workloads, Development Environments & Everything In Between.
>>>>> Get a Quote or Start a Free Trial Today.
>>>>> 
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.cl
>>>>> kt
>>>>> rk
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>> 
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>> 




More information about the Snort-users mailing list