[Snort-users] Alert based on website URL
Joel Esler (jesler)
jesler at ...589...
Mon Jan 20 13:04:46 EST 2014
Did you try this first?
https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md
On Jan 20, 2014, at 12:24 PM, Feroz Basir <feroz.basir at ...11827...> wrote:
> Hi All,
>
> Anyone could help me on my basic snort rule, please? I've tried a few combination and nothing worked for me. Thanks.
>
> Regards,
> Feroz Basir
>
>> On 14 Jan 2014, at 10:34, Feroz Basir <feroz.basir at ...11827...> wrote:
>>
>> Hi Nicholas,
>>
>> I copy n paste the rule into local.rules file. I still couldn't see any alert when I accessed www.facebook.com. Can you help, please?
>>
>> Thanks again.
>>
>> Regards,
>> Feroz Basir
>>
>>> On 14 Jan 2014, at 02:40, "Nicholas Mavis (nmavis)" <nmavis at ...589...> wrote:
>>>
>>> Yes, they would work if you altered the content matches correctly. The
>>> byte_test verifies that the packet is a valid DNS request and Host|3A|
>>> would be part of the HTTP headers. If you have further questions regarding
>>> those content matches, I would recommend reading into DNS and HTTP
>>> protocols along with their typical header structure.
>>>
>>>> On 1/13/14 11:32 AM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>>>>
>>>> Hi Nicholas,
>>>>
>>>> Thanks for replying. FYI, Facebook.com is just an example. Would that
>>>> work with other URL as well?
>>>>
>>>> What is that - Host|3A| ?
>>>>
>>>> Care to teach me on how you got - byte_test:1,!&,0xF8,2; ?
>>>>
>>>> Thanks again. I have quite numbers of URL that I need to monitor and
>>>> using different port number as well.
>>>>
>>>> Regards,
>>>> Feroz Basir
>>>>
>>>>> On 14 Jan 2014, at 00:18, "Nicholas Mavis (nmavis)" <nmavis at ...589...>
>>>>> wrote:
>>>>>
>>>>> Feroz,
>>>>>
>>>>> The rules you have would not work for what you want to achieve. Here
>>>>> some
>>>>> some quick revisions to the rules you provided:
>>>>>
>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook
>>>>> http";
>>>>> content:"Host|3A| facebook.com"; fast_pattern: only;)
>>>>>
>>>>> alert udp $HOME_NET any -> any 53 (msg:"Facebook DNS";
>>>>> byte_test:1,!&,0xF8,2; content:"|08|facebook|03|com|00|"; fast_pattern:
>>>>> only;)
>>>>>
>>>>> $HOME_NET is defined as your internal network you are monitoring and
>>>>> $EXTERNAL_NET is typically set to "any". $HTTP_PORTS is set to the Snort
>>>>> defaults in my configuration.
>>>>>
>>>>> -Nick Mavis
>>>>>
>>>>>
>>>>>
>>>>>> On 1/12/14 1:04 PM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> I'm trying to monitor user/program accessing certain website on port 80
>>>>>> or different port. Would below rule work? Tried them but without any
>>>>>> success. Perhaps i missed something.
>>>>>>
>>>>>> Alert tcp any any -> any 80 (MSG: "user/program accessing Facebook";
>>>>>> content: "www.facebook.com")
>>>>>>
>>>>>> Or based on DNS query.
>>>>>>
>>>>>> Alert udp any any -> any 53 (MSG: "user/program accessing Facebook";
>>>>>> content: "www.facebook.com")
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> Regards,
>>>>>> Feroz Basir
>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>> --
>>>>>> ----
>>>>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>>>>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>>>>>> Critical Workloads, Development Environments & Everything In Between.
>>>>>> Get a Quote or Start a Free Trial Today.
>>>>>>
>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.cl
>>>>>> kt
>>>>>> rk
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>
>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>> Snort news!
>>>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users
mailing list