Re: writting alert rules

[waldo kitty <wkitty42 () windstream net>]

On 11/2/2012 14:00, Akinwale Fasuru wrote:
> Thanks Marcos it work. I tried to modify it just to alert only when users try to
> go on youtube with http_client_body (i think that is what it meant to do) but
> didnt generate any alert pls anybody help
> alert tcp any any -> any any (msg:"Someone is on youtube now!";
> flow:from_client; content:"www.youtube.com"; http_client_body; metadata:service http;
> classtype:policy-violation; priority:10; sid:1000002;rev:1;)

yeah, http_client_body is not what you want... that looks only at the body of 
the http traffic... what you are actually interested in is the headers so you 
can see the request going outbound from the user's browser tool ;)

looking only at the body will alert only on the http traffic where the body of 
the "page" contains your content... so if a user visits my site and one of the 
pages they look at contains a link to www.youtube.com, your rule will fire even 
if they do not click on it to actually go there...

you might also consider to remove the "www." part so that you can catch all 
youtube traffic and not just that to/from the www domain of youtube ;)

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!