Snort mailing list archives

Re: how can we alert on web visiting activity?

From: "Weir, Jason" <jason.weir () nhrs org>
Date: Thu, 19 Nov 2009 14:31:49 -0500

Have you use TCPDump or Wireshark to verify that the packet is actually
getting to the sensor? No packet - no alert...

        -----Original Message-----
        From: mary andrews [mailto:maryandrews22 () gmail com] 
        Sent: Thursday, November 19, 2009 2:28 PM
        To: evilghost () packetmail net; Snort-sigs () lists sourceforge net
        Subject: Re: [Snort-sigs] how can we alert on web visiting
activity?
        
        
        we are pulling our hair on this one...
         
        alert tcp any any -> any any (msg:"test eBay rule";
flow:established; content:"ebay"; nocase; rawbytes; sid:1000002;rev:1;)

        we are using snort 2.8.5.1 under win XP and the rawbytes didnt
help here either...

         



        On Thu, Nov 19, 2009 at 2:01 PM, evilghost () packetmail net
<evilghost () packetmail net> wrote:
        

                What version of Snort are you using?  I have had issues
with content
                matching working correctly in the 2.8 branch (as have
others at Emerging
                Threats), I was able to get content matching to work as
expected by
                using the rawbytes option.  See section 3.5.3 in the
Snort manual.
                
                content:"ebay"; nocase; rawbytes;
                
                -evilghost
                


                mary andrews wrote:
                > Hello there, we have a testing.rules file with the
following 3 lines
                >
                > #testing.rules
                > alert icmp any any -> any any (msg:"$TESTING rule$";
sid:1000001;)
                > alert tcp any any -> any any (msg:"test eBay rule";
flow:established;
                > content:"ebay"; nocase; sid:1000002;rev:1;)
                > we put the rule as generic as we can, of course ebay
is just an example.
                >
                > ping any site produces the alert $TESTING rule$ on the
dos screen snort has
                > been started.
                >
                > But using Internet Explorer to go to ebay, does not
produce any alert.
                > Our question is, what part of a rule triggers web
visiting activity?
                >
                > thanks,
                > m
                >
                >
                
                >
------------------------------------------------------------------------
                >
                >
------------------------------------------------------------------------
------
                > Let Crystal Reports handle the reporting - Free
Crystal Reports 2008 30-Day
                > trial. Simplify your report design, integration and
deployment - and focus on
                > what you do best, core application coding. Discover
what's new with
                > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
                >
------------------------------------------------------------------------
                >
                > _______________________________________________
                > Snort-sigs mailing list
                > Snort-sigs () lists sourceforge net
                >
https://lists.sourceforge.net/lists/listinfo/snort-sigs
                >
                


        
________________________________________________________________________
_____________________
        
        Please visit www.nhrs.org to subscribe to NHRS email
announcements and updates.

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Re: how can we alert on web visiting activity?, (continued)
- - - Re: how can we alert on web visiting activity? Joel Esler (Nov 19)
    - Re: how can we alert on web visiting activity? mary andrews (Nov 19)
    - Re: how can we alert on web visiting activity? mary andrews (Nov 19)
    - Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
    - Re: how can we alert on web visiting activity? Matt Olney (Nov 19)
    - Re: how can we alert on web visiting activity? mary andrews (Nov 19)
    - Re: how can we alert on web visiting activity? Eoin Miller (Nov 19)
    - Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
    - Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
  - Re: how can we alert on web visiting activity? mary andrews (Nov 19)
    - Re: how can we alert on web visiting activity? Weir, Jason (Nov 19)
    - Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
    - Re: how can we alert on web visiting activity? mary andrews (Nov 19)
    - Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
    - Re: how can we alert on web visiting activity? Matt Olney (Nov 19)
- Re: how can we alert on web visiting activity? Weir, Jason (Nov 19)