how can we alert on web visiting activity?

[mary andrews <maryandrews22 () gmail com>]

Hello there, we have a testing.rules file with the following 3 lines

#testing.rules
alert icmp any any -> any any (msg:"$TESTING rule$"; sid:1000001;)
alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
content:"ebay"; nocase; sid:1000002;rev:1;)
we put the rule as generic as we can, of course ebay is just an example.

ping any site produces the alert $TESTING rule$ on the dos screen snort has
been started.

But using Internet Explorer to go to ebay, does not produce any alert.
Our question is, what part of a rule triggers web visiting activity?

thanks,
m

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs