Snort mailing list archives
Re: filter http traffic
From: Balasubramaniam Natarajan <bala150985 () gmail com>
Date: Sun, 20 May 2012 23:37:30 +0530
One small question I doubt it that is possible because when I type in google.com the browser automatically switches over to https://www.google.co.in/ so in that case we may not be able to trace it. @kenterer1, Does you browser switch to https on google.com ? On Sun, May 20, 2012 at 9:02 PM, Joel Esler <jesler () sourcefire com> wrote:
Yes, it is possible. I suggest capturing a packet flow of you doing the search, then you should be able to see the structure of the query much better. -- Joel Esler On May 19, 2012, at 9:26 AM, Sdflkaj Jksdfj <kenterer1 () ymail com> wrote: Hey there, i want to filter search requests to e.g. google which have certain keywords. my suggestion is the following: alert tcp any any -> any any (pcre: "/(keyword1|keyword2)*/"; msg: "someone searches for rootkit or malware in google bing or yahooo"; sid: 1000004;rev:1;) Since i want to be able to use regular expressions i use PCRE. However this line only gives alarm if i use the "url bar" of the browser to search for keywords. if i visit google.com and type the keywords in the input box, there is no alarm going of . : / i would appreciate any inspiration. cheers kenterer ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Regards, Balasubramaniam Natarajan www.etutorshop.com/moodle/
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- filter http traffic Sdflkaj Jksdfj (May 20)
- Re: filter http traffic Joel Esler (May 20)
- Re: filter http traffic Balasubramaniam Natarajan (May 20)
- Re: filter http traffic Giles Coochey (May 22)
- Re: filter http traffic Jason Haar (May 24)
- Re: filter http traffic Ryan Moon (May 24)
- Re: filter http traffic Balasubramaniam Natarajan (May 20)
- Re: filter http traffic Joel Esler (May 20)