Snort mailing list archives
Re: how can we alert on web visiting activity?
From: mary andrews <maryandrews22 () gmail com>
Date: Thu, 19 Nov 2009 14:40:43 -0500
just one machine in all, running windows xp, then snort 2.8.5.1 when we open a dos window and issue any ping, it alerts the dos screen onto which snort is running, and it also gets logged. Now from that machine we open an instance of internet explorer 8, and visit www.ebay.com we expect to see the alert on the dos screen(or logged in snort) just as the alert from ping. should we try something else? On Thu, Nov 19, 2009 at 2:35 PM, Jason Brvenik <jasonb () sourcefire com>wrote:
where are you accessing ebay from and where is snort in that equation, what are the machines involved? On Thu, Nov 19, 2009 at 2:27 PM, mary andrews <maryandrews22 () gmail com> wrote:we are pulling our hair on this one... alert tcp any any -> any any (msg:"test eBay rule"; flow:established; content:"ebay"; nocase; rawbytes; sid:1000002;rev:1;) we are using snort 2.8.5.1 under win XP and the rawbytes didnt help here either... On Thu, Nov 19, 2009 at 2:01 PM, evilghost () packetmail net <evilghost () packetmail net> wrote:What version of Snort are you using? I have had issues with content matching working correctly in the 2.8 branch (as have others at Emerging Threats), I was able to get content matching to work as expected by using the rawbytes option. See section 3.5.3 in the Snort manual. content:"ebay"; nocase; rawbytes; -evilghost mary andrews wrote:Hello there, we have a testing.rules file with the following 3 lines #testing.rules alert icmp any any -> any any (msg:"$TESTING rule$"; sid:1000001;) alert tcp any any -> any any (msg:"test eBay rule"; flow:established; content:"ebay"; nocase; sid:1000002;rev:1;) we put the rule as generic as we can, of course ebay is just anexample.ping any site produces the alert $TESTING rule$ on the dos screensnorthas been started. But using Internet Explorer to go to ebay, does not produce any alert. Our question is, what part of a rule triggers web visiting activity? thanks, m------------------------------------------------------------------------------------------------------------------------------------------------------Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july------------------------------------------------------------------------_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------Let Crystal Reports handle the reporting - Free Crystal Reports 200830-Daytrial. Simplify your report design, integration and deployment - andfocuson what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: how can we alert on web visiting activity?, (continued)
- Re: how can we alert on web visiting activity? mary andrews (Nov 19)
- Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
- Re: how can we alert on web visiting activity? Matt Olney (Nov 19)
- Re: how can we alert on web visiting activity? mary andrews (Nov 19)
- Re: how can we alert on web visiting activity? Eoin Miller (Nov 19)
- Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
- Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
- Re: how can we alert on web visiting activity? Weir, Jason (Nov 19)
- Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
- Re: how can we alert on web visiting activity? mary andrews (Nov 19)
- Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)