Re: how can we alert on web visiting activity?

[Matt Olney <molney () sourcefire com>]

Mary,

If we were to write a rule covering this, this is what it most likely would be:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MISC Ebay
site access"; flow: to_server, established; content:"ebay.com";
http_header; classtype: misc-activity; sid: 4;)

Against a pcap of me browsing to ebay.com with Chrome, I get the following:

[molney@vrt-app-01 ~]$ stest ebay.pcap -l

Snort Test Suite v.0.3.0

Alerts:
1:4:0           MISC Ebay site access
          Alerts: 37

Your issue is in how you've setup and configured Snort, not Snort or
the rules language.

Matt

On Thu, Nov 19, 2009 at 2:27 PM, mary andrews <maryandrews22 () gmail com> wrote:
> we are pulling our hair on this one...
>
> alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
> content:"ebay"; nocase; rawbytes; sid:1000002;rev:1;)
>
> we are using snort 2.8.5.1 under win XP and the rawbytes didnt help here
> either...
>
>
>
>
> On Thu, Nov 19, 2009 at 2:01 PM, evilghost () packetmail net
> <evilghost () packetmail net> wrote:
> > What version of Snort are you using?  I have had issues with content
> > matching working correctly in the 2.8 branch (as have others at Emerging
> > Threats), I was able to get content matching to work as expected by
> > using the rawbytes option.  See section 3.5.3 in the Snort manual.
> >
> > content:"ebay"; nocase; rawbytes;
> >
> > -evilghost
> >
> >
> > mary andrews wrote:
> > > Hello there, we have a testing.rules file with the following 3 lines
> > >
> > > #testing.rules
> > > alert icmp any any -> any any (msg:"$TESTING rule$"; sid:1000001;)
> > > alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
> > > content:"ebay"; nocase; sid:1000002;rev:1;)
> > > we put the rule as generic as we can, of course ebay is just an example.
> > >
> > > ping any site produces the alert $TESTING rule$ on the dos screen snort
> > > has
> > > been started.
> > >
> > > But using Internet Explorer to go to ebay, does not produce any alert.
> > > Our question is, what part of a rule triggers web visiting activity?
> > >
> > > thanks,
> > > m
> > >
> > >
> > > ------------------------------------------------------------------------
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> > > 30-Day
> > > trial. Simplify your report design, integration and deployment - and
> > > focus on
> > > what you do best, core application coding. Discover what's new with
> > > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> > > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Snort-sigs mailing list
> > > Snort-sigs () lists sourceforge net
> > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs