Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: (no subject)

From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Sat, 19 Aug 2017 02:03:34 +0000
Try this.

For the traffic I just curled to facebook. Then I added your rule to a stripped down conf file.

[alewis@localhost snort-2.9.9.0-released]$ ./bin/snort -c etc/facebook.conf -r etc/facebook.pcap -Acmg -q
08/18-09:34:12.842568  [**] [1:1000002:1] entro a facebook [**] [Priority: 0] {TCP} 31.13.69.228:80 -> 10.0.2.15:48728
08/18-09:34:12.842568 52:54:00:12:35:02 -> 08:00:27:09:EE:69 type:0x800 len:0x18C
31.13.69.228:80 -> 10.0.2.15:48728 TCP TTL:64 TOS:0x0 ID:43349 IpLen:20 DgmLen:382
***AP*** Seq: 0xC44A02  Ack: 0x8304A741  Win: 0xFFFF  TcpLen: 20
48 54 54 50 2F 31 2E 31 20 33 30 32 20 46 6F 75  HTTP/1.1 302 Fou
6E 64 0D 0A 4C 6F 63 61 74 69 6F 6E 3A 20 68 74  nd..Location: ht
74 70 73 3A 2F 2F 77 77 77 2E 66 61 63 65 62 6F  tps://www.facebo
6F 6B 2E 63 6F 6D 2F 0D 0A 58 2D 46 42 2D 44 65  ok.com/..X-FB-De
62 75 67 3A 20 6E 55 4D 42 37 69 51 59 41 73 76  bug: nUMB7iQYAsv
47 36 4F 71 69 39 30 59 68 79 71 55 75 57 72 64  G6Oqi90YhyqUuWrd
2F 4B 46 55 6C 37 75 33 6E 73 2B 71 79 55 76 41  /KFUl7u3ns+qyUvA
4B 72 4A 52 63 67 53 2B 58 62 33 71 6B 4A 42 34  KrJRcgS+Xb3qkJB4
4E 6B 7A 32 50 47 6D 2B 33 6E 79 62 64 50 51 57  Nkz2PGm+3nybdPQW
5A 4D 4B 59 35 4F 46 32 70 48 67 3D 3D 0D 0A 44  ZMKY5OF2pHg==..D
61 74 65 3A 20 46 72 69 2C 20 31 38 20 41 75 67  ate: Fri, 18 Aug
20 32 30 31 37 20 31 33 3A 33 36 3A 31 34 20 47   2017 13:36:14 G
4D 54 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67  MT..Content-Leng
74 68 3A 20 30 0D 0A 43 6F 6E 74 65 6E 74 2D 54  th: 0..Content-T
79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 3B 20  ype: text/html;
63 68 61 72 73 65 74 3D 55 54 46 2D 38 0D 0A 56  charset=UTF-8..V
69 61 3A 20 31 2E 31 20 72 74 70 35 2D 64 6D 7A  ia: 1.1 rtp5-dmz
2D 77 73 61 2D 36 2E 63 69 73 63 6F 2E 63 6F 6D  -wsa-6.cisco.com
3A 38 30 20 28 43 69 73 63 6F 2D 57 53 41 2F 31  :80 (Cisco-WSA/1
30 2E 31 2E 31 2D 32 33 35 29 0D 0A 43 6F 6E 6E  0.1.1-235)..Conn
65 63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69  ection: keep-ali
76 65 0D 0A 0D 0A                                ve....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
Omar Johnatan Lopez Carrillo <olopez () utc edu mx<mailto:olopez () utc edu mx>>
Date: Friday, August 18, 2017 at 9:30 AM
To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort 
org<mailto:snort-users () lists snort org>>
Subject: [Snort-users] (no subject)

Buenos días amigos
tengo la siguiente regla pero no me manda alerta, pido de su ayuda para saber que es lo que estoy haciendo mal

alert tcp any any -> any any (content:"https://www.facebook.com";msg:"entro a facebook";sid:1000002;rev:001;)

saludos
--
Ing. Omar J. Lopez Carrillo

Soporte Técnico Universidad Tecnológica de Coahuíla
Tel: 288 388 00      ext: 173

Attachment: facebook.conf
Description: facebook.conf

Attachment: facebook.pcap
Description: facebook.pcap

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: