[Snort-users] Alert based on website URL

Joel Esler (jesler) jesler at ...589...
Mon Jan 20 13:04:46 EST 2014


Did you try this first?

https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md


On Jan 20, 2014, at 12:24 PM, Feroz Basir <feroz.basir at ...11827...> wrote:

> Hi All,
> 
> Anyone could help me on my basic snort rule, please? I've tried a few combination and nothing worked for me. Thanks.
> 
> Regards,
> Feroz Basir
> 
>> On 14 Jan 2014, at 10:34, Feroz Basir <feroz.basir at ...11827...> wrote:
>> 
>> Hi Nicholas,
>> 
>> I copy n paste the rule into local.rules file. I still couldn't see any alert when I accessed www.facebook.com. Can you help, please? 
>> 
>> Thanks again.
>> 
>> Regards,
>> Feroz Basir
>> 
>>> On 14 Jan 2014, at 02:40, "Nicholas Mavis (nmavis)" <nmavis at ...589...> wrote:
>>> 
>>> Yes, they would work if you altered the content matches correctly. The
>>> byte_test verifies that the packet is a valid DNS request and Host|3A|
>>> would be part of the HTTP headers. If you have further questions regarding
>>> those content matches, I would recommend reading into DNS and HTTP
>>> protocols along with their typical header structure.
>>> 
>>>> On 1/13/14 11:32 AM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>>>> 
>>>> Hi Nicholas,
>>>> 
>>>> Thanks for replying. FYI, Facebook.com is just an example. Would that
>>>> work with other URL as well?
>>>> 
>>>> What is that - Host|3A| ?
>>>> 
>>>> Care to teach me on how you got - byte_test:1,!&,0xF8,2;  ?
>>>> 
>>>> Thanks again. I have quite numbers of URL that I need to monitor and
>>>> using different port number as well.
>>>> 
>>>> Regards,
>>>> Feroz Basir
>>>> 
>>>>> On 14 Jan 2014, at 00:18, "Nicholas Mavis (nmavis)" <nmavis at ...589...>
>>>>> wrote:
>>>>> 
>>>>> Feroz,
>>>>> 
>>>>> The rules you have would not work for what you want to achieve. Here
>>>>> some
>>>>> some quick revisions to the rules you provided:
>>>>> 
>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook
>>>>> http";
>>>>> content:"Host|3A| facebook.com"; fast_pattern: only;)
>>>>> 
>>>>> alert udp $HOME_NET any -> any 53 (msg:"Facebook DNS";
>>>>> byte_test:1,!&,0xF8,2; content:"|08|facebook|03|com|00|"; fast_pattern:
>>>>> only;)
>>>>> 
>>>>> $HOME_NET is defined as your internal network you are monitoring and
>>>>> $EXTERNAL_NET is typically set to "any". $HTTP_PORTS is set to the Snort
>>>>> defaults in my configuration.
>>>>> 
>>>>> -Nick Mavis
>>>>> 
>>>>> 
>>>>> 
>>>>>> On 1/12/14 1:04 PM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>>>>>> 
>>>>>> Hi All,
>>>>>> 
>>>>>> I'm trying to monitor user/program accessing certain website on port 80
>>>>>> or different port. Would below rule work? Tried them but without any
>>>>>> success. Perhaps i missed something.
>>>>>> 
>>>>>> Alert tcp any any -> any 80 (MSG: "user/program accessing Facebook";
>>>>>> content: "www.facebook.com")
>>>>>> 
>>>>>> Or based on DNS query.
>>>>>> 
>>>>>> Alert udp any any -> any 53 (MSG: "user/program accessing Facebook";
>>>>>> content: "www.facebook.com")
>>>>>> 
>>>>>> Thanks.
>>>>>> 
>>>>>> Regards,
>>>>>> Feroz Basir
>>>>>> 
>>>>>> ------------------------------------------------------------------------
>>>>>> --
>>>>>> ----
>>>>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>>>>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>>>>>> Critical Workloads, Development Environments & Everything In Between.
>>>>>> Get a Quote or Start a Free Trial Today.
>>>>>> 
>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.cl
>>>>>> kt
>>>>>> rk
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>> 
>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>> Snort news!
>>> 
> 
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today. 
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list