Alert to detect someone accessing specific websites

[Neeraj Shah]

Hello All,
I am trying the below SNORT rule in my Security Onion server to detect web traffic going to facebook.com but it is not working as expected. There is no alert generated in ELSA/SQUERT when i try browsing facebook.com. My $HOME_NET variable is correctly defined.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Facebook http"; content:"Host|3A| facebook.com"; fast_pattern: only; sid:10000010; rev:1;)

Can someone pls help as in what's wrong with the above rule or what should i use instead to get alerted on traffic going to domains i want to monitor ?

Thanks
Neeraj

[Wes Lambert]

Hi Neeraj,

While we don't mind helping with rules and such every now and then, if you have many questions in regard to rule development, you may get better and faster responses on the Snort Sigs mailing list:

https://lists.snort.org/mailman/listinfo/snort-sigs

This first thing you will want to check is if your rule has even gotten loaded into /etc/nsm/rules/downloaded.rules and if you have any errors in the snortu-X.log.

Thanks,

Wes

Neeraj

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Kevin Branch]

One thing to consider is that your browser is almost certainly going to immediately switch to using https, not http, for browsing facebook.com.  That traffic will be encrypted and thus your rule will never match the http header content it is looking for.  With Suricata, you could match for the tls_sni containing "facebook.com"

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS_keyword_expansion#tls_sni

I do not know if Snort has a way to do that.

Kevin

To post to this group, send email to securit...@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Neeraj Shah]

Thank you Wes & Kevin. Yes my rule has made it to downloaded.rules file.
I see the redirection happening from http to https on some of these websites. What is a good way to maintain a list of blacklisted websites/domains that we want to be alerted on ? Do we just created a variable in Snort.conf file for that ?

Thanks again

[Kevin Branch]

If your list is too big or too dynamic to just maintain a set of local snort/suricata rules for this purpose, I'd suggest you consider using the Bro Intel Framework (https://www.bro.org/sphinx-git/frameworks/intel.html) which would allow you to maintain a list of host names that Bro would compare all http and many https connections to for host name matches.  Bro is able to see the tls sni host name value in https sessions that contain them.  There is even an optional bro_agent script (https://github.com/int13h/bro_agent) you could use to get such intel events pushed over to Sguil/Squert in real time.    Of course you may or may not be using Bro in your setup.  

Kevin

[Philip Robson]

If you just want to alert then maybe look at elastalert, that can have what they call white and blacklists in a txt file. You should be able to use discover to search for the event with the domain that you want to trigger in.

You would be able to choose the logs that give you the data that's closest to what you want and use that for the query.

This is assuming you are using elastic.

On Tue, 20 Mar 2018, 01:14 Kevin Branch, <ke...@branchnetconsulting.com> wrote:

If your list is too big or too dynamic to just maintain a set of local snort/suricata rules for this purpose, I'd suggest you consider using the Bro Intel Framework (https://www.bro.org/sphinx-git/frameworks/intel.html) which would allow you to maintain a list of host names that Bro would compare all http and many https connections to for host name matches.  Bro is able to see the tls sni host name value in https sessions that contain them.  There is even an optional bro_agent script (https://github.com/int13h/bro_agent) you could use to get such intel events pushed over to Sguil/Squert in real time.    Of course you may or may not be using Bro in your setup.  

Kevin

On Mon, Mar 19, 2018 at 7:16 PM, Neeraj Shah <neeraj...@gmail.com> wrote:

Thank you Wes & Kevin. Yes my rule has made it to downloaded.rules file.
I see the redirection happening from http to https on some of these websites. What is a good way to maintain a list of blacklisted websites/domains that we want to be alerted on ? Do we just created a variable in Snort.conf file for that ?

Thanks again

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.

[Neeraj Shah]

Thank you Kevin, Philip. Appreciate it.