Re: Need help 'log to' option of the snort rule

[L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>]

If it were me l would use the http_header content modifier to improve
performance.  YouTube videos embedded in non-YouTube pages will still
cause the browser to connect to YouTube when played and they should
send the Host header (I confirmed this with the latest version of
FireFox on Windows).

I will also note that there seem to be a number of errors in the snort
manual and some things do not work exactly like the manual describes
so it should be taken with a grain of salt :)

-L0rd Ch0de1m0rt

On 3/26/10, manjushree ks <manjushree.ks () hotmail com> wrote:
> Hello L0rd Ch0de1m0rt,
>
> Thanks so much for the suggestions,
>
> Sure, I would consider your suggestion of changing ' any ' to $HTTP_PORTS
> variable.
>
> SEcondly, My idea of writing this snort rule is that an alert needs to be
> triggered every time a youtube video is played whether it is
> played from youtube.com or from any other  website. The rule should fire
>  alerts at most once every two minutes. In addition, a log file named
> youtubeviolation.log should be created every time the alert is raised.
>
> Do you suggest me to use the 'http_header' after the content match?
>
> I am using snort 2.8.5.3
>
> Thanks again :)
>
> Manju
>
> > Date: Fri, 26 Mar 2010 09:13:22 -0500
> > Subject: Re: [Snort-sigs] Need help 'log to' option of the snort rule
> > From: l0rdch0de1m0rt () gmail com
> > To: manjushree.ks () hotmail com
> > CC: snort-sigs () lists sourceforge net
> >
> > Hello, this is L0rd Ch0de1m0rt.  I do not know why it is not logging
> > correctly but might I kindly make some suggestions about the rule?
> > First, I would suggest that the destination port be 80 or your
> > $HTTP_PORTS variable.  Next, I would suggest that you look for
> > "youtube.com" in the HTTP headers only (just add 'http_header' after
> > the content match) since it should be in the HTTP Host header if the
> > browser is compatible with HTTP 1.1.  Of course, this can be bypassed
> > but nowadays, pretty much all browsers are HTTP 1.1 compliant and send
> > the Host header by default.
> >
> > What version of snort are you running?  Maybe it doesn't support the
> > logto directive if it is older.
> >
> > Cheers,
> >
> > -L0rd Ch0de1m0rt
> >
> > On 3/26/10, manjushree ks <manjushree.ks () hotmail com> wrote:
> > > Hi again,
> > >
> > > Sorry, A small correction in the rule,
> > >
> > > It would be,
> > >
> > > alert tcp any any -> any any (msg:"Policy Violation : YOUTUBE is visited
> > > via
> > > a different site"; content:"youtube.com"; threshold: type both, track
> > > by_src,count 1, seconds 120;\
> > > logto:"/etc/snort/youtubeviolation.log1";
> > > classtype:policy-violation;sid:7000002;)
> > >
> > > Regards,
> > > Manju
> > >
> > >
> > > From: manjushree.ks () hotmail com
> > > To: snort-sigs () lists sourceforge net
> > > Date: Fri, 26 Mar 2010 19:02:00 +0530
> > > Subject: [Snort-sigs] Need help 'log to' option of the snort rule
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Hi,
> > >
> > > This is Manju writing in to request any suggestions on the below snort
> > > rule,
> > >
> > > I have a rule here which would be required to create a log file inorder
> > > to
> > > log in any of the alerts detected due to the visit of ' youtube .com'
> > > site .
> > >
> > > But unfortunately its not creating any of the file named
> > > youtubeviolation1.log in the specified directory. Could anybody throw
> > > some
> > > light on this?
> > >
> > > below is the rule,
> > >
> > > alert tcp any any -> any any (msg:"Policy Violation : YOUTUBE is visited
> > > via
> > > a different site"; content:"youtube.com"; threshold: type both, track
> > > by_src,count 1, seconds 120;\
> > > logto:"/etc/snort/youtubeviolation.log";
> > > classtype:policy-violation;sid:7000002;)
> > >
> > > Thanks!
> > > Manju

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs