Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: writting alert rules

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 02 Nov 2012 18:43:08 -0400
On 11/1/2012 18:15, Akinwale Fasuru wrote:

Hi,
I wrote a rule for alert on visiting www.youtube.com
alert rule
alert tcp any any =>  any any (msg:"someone is on youtube now!"; content:"www.youtube.com"; sid:1000002;rev:1;)


as noted already,

   1. the "=>" should be "->"
   2. the content match is much too general...
      it will match on these messages with that phrase...

the first step to tightening it up would be to limit it in directionality...

   alert tcp any any -> any any (msg:"someone is on youtube now!"; 
flow:to_server; content:www.youtube.com"; sid:1000002; rev:2;)

the next step would be to limit the port... i'd say port 80 since youtube is a 
web service...

   alert tcp any any -> any 80 (msg:"someone is on youtube now!"; 
flow:to_server; content:www.youtube.com"; sid:1000002; rev:3;)

then you'd also want to limit it to only url requests... depending on your 
setup, that might mean looking at the http_headers OR looking specifically for 
the "Host:" line in raw headers...

you would also want to limit it to outbound requests from your internal 
network(s)... that means looking for the originating side to be HOME_NET...

i'll leave those last refinements up to you to figure out since it is dependent 
on your configuration of snort... they are not the only refinements that may be 
needed, though... there could easily be others ;)

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: