Assistance w rule that detects traffic to *IP only* URL

[John Davis via Snort-sigs <snort-sigs () lists snort org>]

Ive had some exposure to creating snort rules from a previous course. Im a
bit of a novice, so apologies ahead of time for any mistakes or errors in
assumption. Im interested in a snort rule that can provide an alert when it
detects any outbound traffic to an external URL that is referenced by IP
address only.
Example:
Internal host x browsing to http://www.cnn.com - no match to rule,  no
alert
Internal host x browsing to http://71.29.x.x.  matches rule, alert generated

That example is probably most common, http traffic over port 80. However,
my assumption is, any internal source that generates unencrypted requests
to reach an external site URL, should most likely require a DNS query and
figured that’s where the rule should perform it’s detection. Ive been
searching to see if this type of rule already exists and so far, haven’t
had any luck. Im also not quite sure if this is achievable or the best
approach for detection, but it would appear the rule needs to be capable of
making the distinction between an alphanumeric URL w a DNS record vs a URL
that is identified by IP address only. Anyone that may be able to provide
some perspective on this creation or point me in the right direction would
be appreciated. Thanks!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!