Snort mailing list archives
Fwd: simple rule to alert when visiting a website
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 17 Nov 2009 13:52:49 -0500
---------- Forwarded message ---------- From: mary andrews <maryandrews22 () gmail com> Date: Tue, Nov 17, 2009 at 12:49 PM Subject: Re: [Snort-users] simple rule to alert when visiting a website To: Joel Esler <jesler () sourcefire com> We promise to hit the docs when things are more confirmed, first we want to convince the upstairs. At this stage we dont really care for efficiency, we just want to show some results so somone can sign for the $OK$, if you know what we mean. :-) Now, 1. We put this line here in a rules file which I included in my config. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"test eBay rule"; flow:to_server,established; content:"eBay.com"; nocase; sid:10000002; rev:1;) 2. We also added one line only with the number 1000002 at the bottom of file sid-msg.map 3. We restarted snort, but when I use ie to go to www.ebay.com, no alerts are displayed on teh dos window. What are we doing wrong? thanks, m On Tue, Nov 17, 2009 at 11:43 AM, Joel Esler <jesler () sourcefire com> wrote:
There are plenty of docs to learn how to do this on snort.org, as well as being included with the Snort software that you downloaded. I don't know how you intend to perform "regression" testing on the rules. But let us know how that works out. Alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"test eBay rule"; flow:to_server,established; content:"eBay.com"; nocase; sid:1000000; rev:1;) is a more proper way to do what you want. Ip rules = generally bad any any rules = generally bad there are all kinds of webinars, white papers, and instructions to help you do what you want on Snort.org. I would encourage you to check those out as the rule I wrote above will fit only a very specific service and function. J -written on a cell phone On Tuesday, November 17, 2009, mary andrews <maryandrews22 () gmail com> wrote:well, I am using ebay.com as an example, but basically yes. On Tue, Nov 17, 2009 at 11:03 AM, Joel Esler <jesler () sourcefire com <javascript:_e({},'cvml', 'jesler () sourcefire com');>> wrote:So, your question is, how to write a rule to detect someone going toeBay?J On Tuesday, November 17, 2009, mary andrews <maryandrews22 () gmail com <javascript:_e({},'cvml', 'maryandrews22 () gmail com');>> wrote:Forgive us, but we are evaluating the software and we are now learningit too,OK, I suppose you can call us newbies. we are trying to write simple rules, we have had some success so far, a little at a time, we are now trying to write a small rule to alert ifsomeoneis visiting a specific site, say www.ebay.com <http://www.ebay.com/> <http://www.ebay.com/>so far we have this in a file called testing.rules. # testing.rules alert icmp any any -> any any (msg:"$$$$$TESTING rule$$$$$";sid:1000001;)its rudimentary, we know, but its working ok. before we uncomment theconfig and includea bigger set of rules, we want to regresstion test them in theirsimplest form.if someone replies, and since I am not 100% sure how this list worksyet,could you please copy me here? maryandrews22 () gmail com <javascript:_e({},'cvml', 'maryandrews22 () gmail com');> <javascript:_e({}, 'cvml', ' maryandrews22 () gmail com <javascript:_e({}, 'cvml', ' maryandrews22 () gmail com');>');>many thanks, m-- Joel Esler | 302-223-5974 | gtalk: jesler () sourcefire com <javascript:_e({},'cvml', 'jesler () sourcefire com');>-- Joel Esler | 302-223-5974 | gtalk: jesler () sourcefire com
-- Joel Esler | 302-223-5974 | gtalk: jesler () sourcefire com
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- simple rule to alert when visiting a website mary andrews (Nov 17)
- Re: simple rule to alert when visiting a website Joel Esler (Nov 17)
- Message not available
- Re: simple rule to alert when visiting a website Joel Esler (Nov 17)
- Message not available
- Fwd: simple rule to alert when visiting a website Joel Esler (Nov 17)
- Message not available
- Re: simple rule to alert when visiting a website Joel Esler (Nov 17)
- Re: simple rule to alert when visiting a website Joel Esler (Nov 17)
- Re: simple rule to alert when visiting a website JJ Cummings (Nov 17)