[Snort-users] Alert based on website URL

Feroz Basir feroz.basir at ...11827...
Tue Jan 21 11:24:37 EST 2014


Hi Joel,

I didn't receive alert that I expected but other alerts instead. 

Thanks.


Regards,
Feroz Basir

> On 21 Jan 2014, at 02:04, "Joel Esler (jesler)" <jesler at ...589...> wrote:
> 
> Did you try this first?
> 
> https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md
> 
> 
>> On Jan 20, 2014, at 12:24 PM, Feroz Basir <feroz.basir at ...11827...> wrote:
>> 
>> Hi All,
>> 
>> Anyone could help me on my basic snort rule, please? I've tried a few combination and nothing worked for me. Thanks.
>> 
>> Regards,
>> Feroz Basir
>> 
>>> On 14 Jan 2014, at 10:34, Feroz Basir <feroz.basir at ...11827...> wrote:
>>> 
>>> Hi Nicholas,
>>> 
>>> I copy n paste the rule into local.rules file. I still couldn't see any alert when I accessed www.facebook.com. Can you help, please? 
>>> 
>>> Thanks again.
>>> 
>>> Regards,
>>> Feroz Basir
>>> 
>>>> On 14 Jan 2014, at 02:40, "Nicholas Mavis (nmavis)" <nmavis at ...589...> wrote:
>>>> 
>>>> Yes, they would work if you altered the content matches correctly. The
>>>> byte_test verifies that the packet is a valid DNS request and Host|3A|
>>>> would be part of the HTTP headers. If you have further questions regarding
>>>> those content matches, I would recommend reading into DNS and HTTP
>>>> protocols along with their typical header structure.
>>>> 
>>>>> On 1/13/14 11:32 AM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>>>>> 
>>>>> Hi Nicholas,
>>>>> 
>>>>> Thanks for replying. FYI, Facebook.com is just an example. Would that
>>>>> work with other URL as well?
>>>>> 
>>>>> What is that - Host|3A| ?
>>>>> 
>>>>> Care to teach me on how you got - byte_test:1,!&,0xF8,2;  ?
>>>>> 
>>>>> Thanks again. I have quite numbers of URL that I need to monitor and
>>>>> using different port number as well.
>>>>> 
>>>>> Regards,
>>>>> Feroz Basir
>>>>> 
>>>>>> On 14 Jan 2014, at 00:18, "Nicholas Mavis (nmavis)" <nmavis at ...16624....>
>>>>>> wrote:
>>>>>> 
>>>>>> Feroz,
>>>>>> 
>>>>>> The rules you have would not work for what you want to achieve. Here
>>>>>> some
>>>>>> some quick revisions to the rules you provided:
>>>>>> 
>>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook
>>>>>> http";
>>>>>> content:"Host|3A| facebook.com"; fast_pattern: only;)
>>>>>> 
>>>>>> alert udp $HOME_NET any -> any 53 (msg:"Facebook DNS";
>>>>>> byte_test:1,!&,0xF8,2; content:"|08|facebook|03|com|00|"; fast_pattern:
>>>>>> only;)
>>>>>> 
>>>>>> $HOME_NET is defined as your internal network you are monitoring and
>>>>>> $EXTERNAL_NET is typically set to "any". $HTTP_PORTS is set to the Snort
>>>>>> defaults in my configuration.
>>>>>> 
>>>>>> -Nick Mavis
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On 1/12/14 1:04 PM, "Feroz Basir" <feroz.basir at ...11827...> wrote:
>>>>>>> 
>>>>>>> Hi All,
>>>>>>> 
>>>>>>> I'm trying to monitor user/program accessing certain website on port 80
>>>>>>> or different port. Would below rule work? Tried them but without any
>>>>>>> success. Perhaps i missed something.
>>>>>>> 
>>>>>>> Alert tcp any any -> any 80 (MSG: "user/program accessing Facebook";
>>>>>>> content: "www.facebook.com")
>>>>>>> 
>>>>>>> Or based on DNS query.
>>>>>>> 
>>>>>>> Alert udp any any -> any 53 (MSG: "user/program accessing Facebook";
>>>>>>> content: "www.facebook.com")
>>>>>>> 
>>>>>>> Thanks.
>>>>>>> 
>>>>>>> Regards,
>>>>>>> Feroz Basir
>>>>>>> 
>>>>>>> ------------------------------------------------------------------------
>>>>>>> --
>>>>>>> ----
>>>>>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>>>>>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>>>>>>> Critical Workloads, Development Environments & Everything In Between.
>>>>>>> Get a Quote or Start a Free Trial Today.
>>>>>>> 
>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.cl
>>>>>>> kt
>>>>>>> rk
>>>>>>> _______________________________________________
>>>>>>> Snort-users mailing list
>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>> Snort-users list archive:
>>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>> 
>>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>>> Snort news!
>> 
>> ------------------------------------------------------------------------------
>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>> Critical Workloads, Development Environments & Everything In Between.
>> Get a Quote or Start a Free Trial Today. 
>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 




More information about the Snort-users mailing list