Snort mailing list archives
Re: Alert on web traffic instead of IP Address?
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 11 Aug 2009 10:40:55 -0400
Correct, it is *not* possible to put hostnames in a rule. It's probably better to write a rule on the content of the traffic than to try and track an IP. Or, use the IP blacklist patch from Marty. J On Tue, Aug 11, 2009 at 10:32 AM, Isherwood, Jeffrey - AES < Jeffrey.Isherwood () itt com> wrote:
I have snort rules that are looking for traffic to certain websites, based upon the IP Address of the destination… However I would like to create a few rules that look for traffic headed to a website that might be using Dynamic DNS (or fast flux) and so I do not know the IP Address of the dst host. For the IP Address alerts I use the following rule: alert tcp $HOME_NET any -> $MALICIOUS_IP any (msg:"Malicious traffic alert"; flow: established; classtype: policy-violation; priority:669; sid:2009072103; rev:2;) Where $HOME_NET is my internal network and $MALICIOUS_IP is the IP Address of a site that we have deemed to be dangerous. I don’t think that I can put a website name in the variables… and with Dynamic DNS and FastFlux changing the IPs I can’t figure out how to alert on malicious sites being hidden behind the changing IP addresses. Is it even possible? ------------------------------ This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler | Sourcefire | Google Voice: 302-223-5974
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert on web traffic instead of IP Address? Isherwood, Jeffrey - AES (Aug 11)
- Re: Alert on web traffic instead of IP Address? Joel Esler (Aug 11)
- Re: Alert on web traffic instead of IP Address? Jason Haar (Aug 12)
- Re: Alert on web traffic instead of IP Address? Matt Olney (Aug 12)
- Re: Alert on web traffic instead of IP Address? CunningPike (Aug 13)
- Re: Alert on web traffic instead of IP Address? Jason Haar (Aug 12)
- Re: Alert on web traffic instead of IP Address? Joel Esler (Aug 11)
- Re: Alert on web traffic instead of IP Address? Frank Knobbe (Aug 14)