Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] Alert based on website URL

8,258 views
Skip to first unread message

Feroz Basir

unread,
Jan 12, 2014, 1:04:55 PM1/12/14
to
Hi All,

I'm trying to monitor user/program accessing certain website on port 80 or different port. Would below rule work? Tried them but without any success. Perhaps i missed something.

Alert tcp any any -> any 80 (MSG: "user/program accessing Facebook"; content: "www.facebook.com")

Or based on DNS query.

Alert udp any any -> any 53 (MSG: "user/program accessing Facebook"; content: "www.facebook.com")

Thanks.

Regards,
Feroz Basir
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Nicholas Mavis (nmavis)

unread,
Jan 13, 2014, 11:18:53 AM1/13/14
to
Feroz,

The rules you have would not work for what you want to achieve. Here some
some quick revisions to the rules you provided:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook http";
content:"Host|3A| facebook.com"; fast_pattern: only;)

alert udp $HOME_NET any -> any 53 (msg:"Facebook DNS";
byte_test:1,!&,0xF8,2; content:"|08|facebook|03|com|00|"; fast_pattern:
only;)

$HOME_NET is defined as your internal network you are monitoring and
$EXTERNAL_NET is typically set to "any". $HTTP_PORTS is set to the Snort
defaults in my configuration.

-Nick Mavis

Feroz Basir

unread,
Jan 13, 2014, 11:32:21 AM1/13/14
to
Hi Nicholas,

Thanks for replying. FYI, Facebook.com is just an example. Would that work with other URL as well?

What is that - Host|3A| ?

Care to teach me on how you got - byte_test:1,!&,0xF8,2; ?

Thanks again. I have quite numbers of URL that I need to monitor and using different port number as well.

Regards,
Feroz Basir

Nicholas Mavis (nmavis)

unread,
Jan 13, 2014, 1:40:56 PM1/13/14
to
Yes, they would work if you altered the content matches correctly. The
byte_test verifies that the packet is a valid DNS request and Host|3A|
would be part of the HTTP headers. If you have further questions regarding
those content matches, I would recommend reading into DNS and HTTP
protocols along with their typical header structure.

Feroz Basir

unread,
Jan 13, 2014, 9:34:30 PM1/13/14
to
Hi Nicholas,

I copy n paste the rule into local.rules file. I still couldn't see any alert when I accessed www.facebook.com. Can you help, please?

Thanks again.

Regards,
Feroz Basir

Feroz Basir

unread,
Jan 20, 2014, 12:24:25 PM1/20/14
to
Hi All,

Anyone could help me on my basic snort rule, please? I've tried a few combination and nothing worked for me. Thanks.

Regards,
Feroz Basir

Joel Esler (jesler)

unread,
Jan 20, 2014, 1:04:46 PM1/20/14
to
Did you try this first?

https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md

Feroz Basir

unread,
Jan 21, 2014, 11:24:37 AM1/21/14
to
Hi Joel,

I didn't receive alert that I expected but other alerts instead.

Thanks.


Regards,
Feroz Basir
0 new messages