Snort mailing list archives

Fwd: simple rule to alert when visiting a website

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 17 Nov 2009 13:52:49 -0500

---------- Forwarded message ----------
From: mary andrews <maryandrews22 () gmail com>
Date: Tue, Nov 17, 2009 at 12:49 PM
Subject: Re: [Snort-users] simple rule to alert when visiting a website
To: Joel Esler <jesler () sourcefire com>

We promise to hit the docs when things are more confirmed, first we want to
convince the upstairs.
At this stage we dont really care for efficiency, we just want to show some
results so somone can sign for the $OK$,
if you know what we mean. :-)

Now,
1. We put this line here in a rules file which I included in my config.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"test eBay rule";
flow:to_server,established; content:"eBay.com"; nocase; sid:10000002;
rev:1;)
2. We also added one line only with the number 1000002 at the bottom of file
sid-msg.map
3. We restarted snort, but when I use ie to go to www.ebay.com, no alerts
are displayed on teh dos window.

What are we doing wrong?

thanks,
m

On Tue, Nov 17, 2009 at 11:43 AM, Joel Esler <jesler () sourcefire com> wrote:

There are plenty of docs to learn how to do this on snort.org, as well
as being included with the Snort software that you downloaded.

I don't know how you intend to perform "regression" testing on the
rules. But let us know how that works out.

Alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"test eBay
rule"; flow:to_server,established; content:"eBay.com"; nocase;
sid:1000000; rev:1;)

is a more proper way to do what you want.

Ip rules = generally bad
any any rules = generally bad

there are all kinds of webinars, white papers, and instructions to
help you do what you want on Snort.org. I would encourage you to check
those out as the rule I wrote above will fit only a very specific
service and function.

J
-written on a cell phone



On Tuesday, November 17, 2009, mary andrews <maryandrews22 () gmail com>
wrote:

well, I am using ebay.com as an example, but basically yes.

On Tue, Nov 17, 2009 at 11:03 AM, Joel Esler <jesler () sourcefire com <javascript:_e({},

'cvml', 'jesler () sourcefire com');>> wrote:

So, your question is, how to write a rule to detect someone going to

eBay?


J

On Tuesday, November 17, 2009, mary andrews <maryandrews22 () gmail com <javascript:_e({},

'cvml', 'maryandrews22 () gmail com');>> wrote:

Forgive us, but we are evaluating the software and we are now learning

it too,

OK, I suppose you can call us newbies.


we are trying to write simple rules, we have had some success so far,
a little at a time, we are now trying to write a small rule to alert if

someone

is visiting a specific site, say www.ebay.com <http://www.ebay.com/> <

http://www.ebay.com/>


so far we have this in a file called testing.rules.

# testing.rules
alert icmp any any -> any any (msg:"$$$$$TESTING rule$$$$$";

sid:1000001;)



its rudimentary, we know, but its working ok. before we uncomment the

config and include

a bigger set of rules, we want to regresstion test them in their

simplest form.


if someone replies, and since I am not 100% sure how this list works

yet,

could you please copy me here? maryandrews22 () gmail com <javascript:_e({},

'cvml', 'maryandrews22 () gmail com');> <javascript:_e({}, 'cvml', '
maryandrews22 () gmail com <javascript:_e({}, 'cvml', '
maryandrews22 () gmail com');>');>


many thanks,
m


--
Joel Esler | 302-223-5974 | gtalk: jesler () sourcefire com <javascript:_e({},

'cvml', 'jesler () sourcefire com');>


--
Joel Esler | 302-223-5974 | gtalk: jesler () sourcefire com





-- 
Joel Esler | 302-223-5974 | gtalk: jesler () sourcefire com

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

simple rule to alert when visiting a website mary andrews (Nov 17)
- Re: simple rule to alert when visiting a website Joel Esler (Nov 17)
  - Message not available
    - Re: simple rule to alert when visiting a website Joel Esler (Nov 17)
    - Message not available
    - Fwd: simple rule to alert when visiting a website Joel Esler (Nov 17)
- Re: simple rule to alert when visiting a website Rob Dixon (Nov 17)
  - Re: simple rule to alert when visiting a website Joel Esler (Nov 17)
  - Re: simple rule to alert when visiting a website JJ Cummings (Nov 17)