Hi all! (and a snort sig question)

[Rob Vandenbrink via Snort-sigs <snort-sigs () lists snort org>]

Hi everyone - long time snort user / new to this list though

I'm trying to build a signature that triggers on a user browsing by IP address (instead of by fqdn or cn).
So it would be fine with "https://www.cisco.com"; but trigger on "https://23.56.210.155";  (or whatever cisco resolves to 
that day)

So far I have this:

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( \
    msg:"BROWSER OTHER alert on direct ip browsing"; \
    content:"."; \
    http_raw_uri:host; \
    pcre:"/(?:[0-9]{1,3}\.){3}[0-9]{1,3}/"; \
    ssl_state:client_hello; \
    sid:1000010; \
    rev:33; \
    gid:1; \
    priority:4; \
    classtype:unknown;  \
)

No joy on this at all - it reads fine into the config, but never fires.

I think this is a basic misunderstanding on how to chain the field, the content and the pcre statement together.  They 
only parse if they're in this order, but I have no clue how to get one line to relate to the next (the content line 
seems extraneous to me)
If there was a decent reference website I'd go there, but most either document everything discretely (rather than in 
combination), or have really basic examples ...

If anyone has good thoughts on this, beverages are on me if you are ever at a SANSFIRE or SECTOR conference (or are in 
Ontario Canada near me).

(and yes, when all is done I can play with http_uri and raw_uri to see which works best for evasive encoding)
==============
Rob VandenBrink
519-589-1881

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!