Snort mailing list archives
Re: Alert on web traffic instead of IP Address?
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 14 Aug 2009 14:49:13 -0500
On Tue, 2009-08-11 at 10:32 -0400, Isherwood, Jeffrey - AES wrote:
However I would like to create a few rules that look for traffic headed to a website that might be using Dynamic DNS (or fast flux) and so I do not know the IP Address of the dst host. For the IP Address alerts I use the following rule:
[...]
Where $HOME_NET is my internal network and $MALICIOUS_IP is the IP Address of a site that we have deemed to be dangerous. I don’t think that I can put a website name in the variables… and with Dynamic DNS and FastFlux changing the IPs I can’t figure out how to alert on malicious sites being hidden behind the changing IP addresses.
If you are trying to catch regular, unencrypted web traffic, match on a specific Host Header in the GET|POST|HEAD|whatever request. content:"|0d 0a|Host|3a 32|www.evilsite.com|0d 0a|"; Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert on web traffic instead of IP Address? Isherwood, Jeffrey - AES (Aug 11)
- Re: Alert on web traffic instead of IP Address? Joel Esler (Aug 11)
- Re: Alert on web traffic instead of IP Address? Jason Haar (Aug 12)
- Re: Alert on web traffic instead of IP Address? Matt Olney (Aug 12)
- Re: Alert on web traffic instead of IP Address? CunningPike (Aug 13)
- Re: Alert on web traffic instead of IP Address? Jason Haar (Aug 12)
- Re: Alert on web traffic instead of IP Address? Joel Esler (Aug 11)
- Re: Alert on web traffic instead of IP Address? Frank Knobbe (Aug 14)