Re: Create rule to check illegal web access

[Antonin <antonin () libfy com>]

Guys,

many thanks for your answers.
You're right, why reinvent the wheel?

But access to torrent website, for example, is not allowed by the Corporate
Security rules.
The proxy could do this, but we use squidGuard with a set of flat files
covering the blocked web URI, and all are not referenced.
Of course, I could write regex for squidGuard that would block all access,
but the load generated by the regex would be huge.

However, you're right. My idea is probably stupid.

Thank you anyway for your answers

Antonin

2012/7/19 Josh Little <josh () zombietango com>

> On 7/19/2012 8:59 AM, Antonin wrote:
> > thanks for your answer.
> > I have a proxy server but my goal is not to block this kind of traffic
> > (it's already the case with the proxy).
> >
> > I just want to be alerted when a user (or a malware, etc...) try to
> > reach this kind of website.
> > We have a SIEM tool, and we want to have an alert.
> Are you collecting your proxy logs into the SIEM tool? Couldn't your
> SIEM just alert you when a specific category of site is observed or
> acted upon? If you've already got the tools, why reinvent the wheel?
>
> Alerting based upon seeing a keyword in a HTTP packet will create a lot
> of noise. Reading an article on P2P legislation in the EU on Techdirt
> would probably trigger your initial rule example and in no way be a
> violation of your policy. Unless you are tracking the URL accessed or
> have some other method to verify each result, you may not even be able
> to efficiently weed out the FPs from the TPs.
>
> --ZT
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Antonin
_________________________________

*"La route est longue, mais la voie est libre"*
OpenSource Software

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!