Help with a new rule to detect web traffic

["Chris Hoover" <revoohc () sermonaudio com>]

I need some help writing a new rule.  Where I work, we are running an
internet proxy server (running squid).  However, we also have an open
firewall allowing anyone who configures their browser to bypass the
proxy can go anywhere they want (don't ask on this choice).  

Anyway, we are working a plan to close this open hole to the internet. 
In order to get a scope on the problem, I need to get some sort of a
count as to how many machines are bypassing the proxy.  Please help me
get this rule written.

Basicaly, I need the rule to state:
anyone not using the proxy on any port going to the internet, but not a
extra_net on port 80 -> log

Here is what I have tried.  - EXTRA_NET is internet sites anyone can get
to (ip's changed to bogus ip's to protect the guilty and the innocent.
:) ).
var EXTRA_NET [4.5.6.7, 8.9.10.11, 12.13.14.15, 16.17.18.19,
20.21.22.23, 24.25.26.27, 10.30.0.0/16, 28.29.0.0/16, 30.31.32.0/24,
33.34.35.0/24, 36.37.38.0/24]
var PROXY_SERVER [1.2.3.4]
alert ip $HOME_NET!$PROXY_SERVER any -> $EXTERNAL_NET!$EXTRA_NET 80
(msg:"NON PROXY WEB ACCESS";)

Thanks for any help getting this rule to work.

chris




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users