Re: how can we alert on web visiting activity?

["Weir, Jason" <jason.weir () nhrs org>]

rule 1000001 alerts on ICMP only
rule 1000002 alerts on TCP only
 
pings are ICMP and website access would be TCP not sure why your content
match for "ebay" is not working..
 
-J 

        -----Original Message-----
        From: mary andrews [mailto:maryandrews22 () gmail com] 
        Sent: Thursday, November 19, 2009 1:41 PM
        To: snort-sigs () lists sourceforge net
        Subject: [Snort-sigs] how can we alert on web visiting activity?
        
        

        Hello there, we have a testing.rules file with the following 3
lines

        #testing.rules
        alert icmp any any -> any any (msg:"$TESTING rule$";
sid:1000001;)
        alert tcp any any -> any any (msg:"test eBay rule";
flow:established; content:"ebay"; nocase; sid:1000002;rev:1;)

        we put the rule as generic as we can, of course ebay is just an
example.
         
        ping any site produces the alert $TESTING rule$ on the dos
screen snort has been started.

        But using Internet Explorer to go to ebay, does not produce any
alert.

        Our question is, what part of a rule triggers web visiting
activity?

        thanks,
        m  

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs