Snort mailing list archives
Assistance w rule that detects traffic to *IP only* URL
From: John Davis via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 4 Jun 2019 19:21:47 -0500
Ive had some exposure to creating snort rules from a previous course. Im a bit of a novice, so apologies ahead of time for any mistakes or errors in assumption. Im interested in a snort rule that can provide an alert when it detects any outbound traffic to an external URL that is referenced by IP address only. Example: Internal host x browsing to http://www.cnn.com - no match to rule, no alert Internal host x browsing to http://71.29.x.x. matches rule, alert generated That example is probably most common, http traffic over port 80. However, my assumption is, any internal source that generates unencrypted requests to reach an external site URL, should most likely require a DNS query and figured that’s where the rule should perform it’s detection. Ive been searching to see if this type of rule already exists and so far, haven’t had any luck. Im also not quite sure if this is achievable or the best approach for detection, but it would appear the rule needs to be capable of making the distinction between an alphanumeric URL w a DNS record vs a URL that is identified by IP address only. Anyone that may be able to provide some perspective on this creation or point me in the right direction would be appreciated. Thanks!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Assistance w rule that detects traffic to *IP only* URL John Davis via Snort-sigs (Jun 04)
- Re: Assistance w rule that detects traffic to *IP only* URL Dave Killion via Snort-sigs (Jun 04)
- Re: Assistance w rule that detects traffic to *IP only* URL Dave Killion via Snort-sigs (Jun 04)
- Re: Assistance w rule that detects traffic to *IP only* URL Al Lewis (allewi) via Snort-sigs (Jun 04)
- Re: Assistance w rule that detects traffic to *IP only* URL Dave Killion via Snort-sigs (Jun 04)
- Re: Assistance w rule that detects traffic to *IP only* URL Dave Killion via Snort-sigs (Jun 04)
- Re: Assistance w rule that detects traffic to *IP only* URL Joel Esler (jesler) via Snort-sigs (Jun 05)
- Re: Assistance w rule that detects traffic to *IP only* URL Joel Esler (jesler) via Snort-sigs (Jun 05)
- Re: Assistance w rule that detects traffic to *IP only* URL Dave Killion via Snort-sigs (Jun 05)
- Re: Assistance w rule that detects traffic to *IP only* URL John Davis via Snort-sigs (Jun 05)
- Re: Assistance w rule that detects traffic to *IP only* URL Alex McDonnell (Jun 05)
- Re: Assistance w rule that detects traffic to *IP only* URL Dave Killion via Snort-sigs (Jun 04)
- Re: Assistance w rule that detects traffic to *IP only* URL Dave Killion via Snort-sigs (Jun 04)