Re: filter http traffic

[Balasubramaniam Natarajan <bala150985 () gmail com>]

One small question I doubt it that is possible because when I type in
google.com the browser automatically switches over to
https://www.google.co.in/ so in that case we may not be able to trace it.

@kenterer1, Does you browser switch to https on google.com ?

On Sun, May 20, 2012 at 9:02 PM, Joel Esler <jesler () sourcefire com> wrote:

> Yes, it is possible. I suggest capturing a packet flow of you doing the
> search, then you should be able to see the structure of the query much
> better.
>
> --
> Joel Esler
>
> On May 19, 2012, at 9:26 AM, Sdflkaj Jksdfj <kenterer1 () ymail com> wrote:
>
> Hey there,
>
> i want to filter search requests to e.g. google which have certain
> keywords.
>
> my suggestion is the following:
>
>  alert tcp any any -> any any (pcre: "/(keyword1|keyword2)*/"; msg:
> "someone searches for rootkit or malware in google bing or yahooo"; sid:
> 1000004;rev:1;)
>
>  Since i want to be able to use regular expressions i use PCRE. However
> this line only gives alarm if i use the "url bar" of the browser to search
> for   keywords. if i visit google.com and type the keywords in the input
> box, there is no alarm  going of . : /
>
> i would appreciate any inspiration.
>
> cheers
> kenterer
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!