Re: Create rule to check illegal web access

[Josh Little <josh () zombietango com>]

On 7/19/2012 8:59 AM, Antonin wrote:
> thanks for your answer.
> I have a proxy server but my goal is not to block this kind of traffic
> (it's already the case with the proxy).
>
> I just want to be alerted when a user (or a malware, etc...) try to
> reach this kind of website.
> We have a SIEM tool, and we want to have an alert.
Are you collecting your proxy logs into the SIEM tool? Couldn't your
SIEM just alert you when a specific category of site is observed or
acted upon? If you've already got the tools, why reinvent the wheel?

Alerting based upon seeing a keyword in a HTTP packet will create a lot
of noise. Reading an article on P2P legislation in the EU on Techdirt
would probably trigger your initial rule example and in no way be a
violation of your policy. Unless you are tracking the URL accessed or
have some other method to verify each result, you may not even be able
to efficiently weed out the FPs from the TPs.

--ZT

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!