FW: FW: Help with snort rule and notifications

[Trever Leingod <treverleingod () hotmail com>]

From: treverleingod () hotmail com
To: cwaxman () cisco com
Subject: RE: [Snort-users] FW:  Help with snort rule and notifications
Date: Mon, 17 Feb 2014 18:23:35 -0500




Yes sir. It is getting traffic, it is just that the notification is not being written to a log file at all.

From: cwaxman () cisco com
To: treverleingod () hotmail com; snort-users () lists sourceforge net
Subject: Re: [Snort-users] FW:  Help with snort rule and notifications
Date: Mon, 17 Feb 2014 20:32:51 +0000






It sounds like Snort isn't getting any traffic. Is the WinPCAP service installed and running?





From: Trever Leingod <treverleingod () hotmail com>

Date: Monday, February 17, 2014 3:13 PM

To: Snort Users <snort-users () lists sourceforge net>

Subject: Re: [Snort-users] FW: Help with snort rule and notifications







Tried this too but no notification still. I am running this on a Windows machine, if that makes any difference.



From: cwaxman () cisco com

To: treverleingod () hotmail com; 
snort-users () lists sourceforge net

Subject: Re: [Snort-users] FW: Help with snort rule and notifications

Date: Mon, 17 Feb 2014 19:49:49 +0000



If you are not getting any output, you might need to specify the network interface you wish to use. Run "snort.exe –W" 
to get a list of interfaces, then run "snort –d –i <interface#>" to capture.





From: Trever Leingod <treverleingod () hotmail com>

Date: Monday, February 17, 2014 2:38 PM

To: Snort Users <snort-users () lists sourceforge net>

Subject: [Snort-users] FW: Help with snort rule and notifications













From: treverleingod () hotmail com

To: cwaxman () cisco com

Subject: RE: [Snort-users] Help with snort rule and notifications

Date: Mon, 17 Feb 2014 14:38:33 -0500




Hello Carter



Thanks for the extra input. 



I've tried what you and Jeremy mentioned and I'm still not getting any notifications for opening the site.



What I did was use the code you both mentioned. I used "snort.exe -d" in the command line and browsed to gtx0.com. No 
log was made in the log folder and nothing was output to the command line screen either. Still making newbie mistakes 
here. Am I trying to
 detect the notification in the wrong manner?



Trever





From: cwaxman () cisco com

To: treverleingod () hotmail com; 
snort-users () lists sourceforge net

Subject: Re: [Snort-users] Help with snort rule and notifications

Date: Mon, 17 Feb 2014 14:45:13 +0000



Hi Trever,



 I'm not sure if it's a typo, but both of those IPs are the same. If you are trying to specify multiple IPs or ports, 
you should separate with commas and enclose the list in [brackets]. As Jeremy mentioned, you will need to specify the 
correct ports explicitly.
 As far as which ports to use, most websites will be using port 80 for HTTP or port 443 for HTTPS, though this isn't 
always true. I think this is what you were going for (assuming you are using standard HTTP / HTTPS ports):



alert tcp any any -> 173.254.252.81 [80,443] (msg: " **Alert gtx0.com has been opened**");



-Carter





From: Trever Leingod <treverleingod () hotmail com>

Date: Sunday, February 16, 2014 5:23 PM

To: Snort Users <snort-users () lists sourceforge net>

Subject: Re: [Snort-users] Help with snort rule and notifications







Yes it is exactly as I put it in. The port number might be the issue then, some example I saw used the IP twice. I 
cannot seem to find the port number for this website though. I'll try to find it and try again. Thanks.



Trever





Date: Sat, 15 Feb 2014 19:56:15 -0700

Subject: Re: [Snort-users] Help with snort rule and notifications

From: jthoel () gmail com

To: treverleingod () hotmail com

CC: snort-users () lists sourceforge net



Is this the rule exactly as you put it in?  You have the ip in twice and it should be 'ip<space>port'   where port is 
probably [80,443] depending on how you access the site.

On Feb 15, 2014 5:11 PM, "Trever Leingod" <treverleingod () hotmail com> wrote:



Thanks for the input, Ed. I have tried what you suggested.



I made a new rule based on the rules already present:



"alert tcp any any -> 173.254.252.81 173.254.252.81 (msg: " **Alert
gtx0.com has been opened**")"



(IP used above is the one for www.gtx0.com)



I used command "snort -d" and opened up 
gtx0.com in a browser but no notifications or logs were given. Any further tips, anyone?



--Trever Leingod--









CC: snort-users () lists sourceforge net

From: SnortFan () yahoo com

Subject: Re: [Snort-users] Help with snort rule and notifications

Date: Sat, 15 Feb 2014 11:02:14 -0500

To: treverleingod () hotmail com



Here's a quick and dirty way. You can take another rule and copy it. Then you have to pick a Sid that's not in use. 



Change the msg content to the URL. 



If you create a new rules file, you will have to include it in your snort.conf. 



If you using something like barnyard2 there's more to do.  



Cheers,
Ed








Sent from a mobile device. 




On Feb 14, 2014, at 4:33 PM, Trever Leingod <treverleingod () hotmail com> wrote:








I am quite new to using Snort.






I was hoping to get pointers on how write a rule to get notification if a certain website, like say
www.facebook.com, is opened in a web browser, and how would I get this notification/alert to show.



Trever Leingod






------------------------------------------------------------------------------

Android apps run on BlackBerry 10

Introducing the new BlackBerry 10.2.1 Runtime for Android apps.

Now with support for Jelly Bean, Bluetooth, Mapview and more.

Get your Android app in front of a whole new audience.  Start now.

http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk


_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!






------------------------------------------------------------------------------

Android apps run on BlackBerry 10

Introducing the new BlackBerry 10.2.1 Runtime for Android apps.

Now with support for Jelly Bean, Bluetooth, Mapview and more.

Get your Android app in front of a whole new audience.  Start now.

http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!

















------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!