Snort mailing list archives
Re: how can we alert on web visiting activity?
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Thu, 19 Nov 2009 13:49:20 -0500
rule 1000001 alerts on ICMP only rule 1000002 alerts on TCP only pings are ICMP and website access would be TCP not sure why your content match for "ebay" is not working.. -J -----Original Message----- From: mary andrews [mailto:maryandrews22 () gmail com] Sent: Thursday, November 19, 2009 1:41 PM To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] how can we alert on web visiting activity? Hello there, we have a testing.rules file with the following 3 lines #testing.rules alert icmp any any -> any any (msg:"$TESTING rule$"; sid:1000001;) alert tcp any any -> any any (msg:"test eBay rule"; flow:established; content:"ebay"; nocase; sid:1000002;rev:1;) we put the rule as generic as we can, of course ebay is just an example. ping any site produces the alert $TESTING rule$ on the dos screen snort has been started. But using Internet Explorer to go to ebay, does not produce any alert. Our question is, what part of a rule triggers web visiting activity? thanks, m _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: how can we alert on web visiting activity?, (continued)
- Re: how can we alert on web visiting activity? mary andrews (Nov 19)
- Re: how can we alert on web visiting activity? Eoin Miller (Nov 19)
- Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
- Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
- Re: how can we alert on web visiting activity? mary andrews (Nov 19)
- Re: how can we alert on web visiting activity? Weir, Jason (Nov 19)
- Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
- Re: how can we alert on web visiting activity? mary andrews (Nov 19)
- Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
- Re: how can we alert on web visiting activity? Matt Olney (Nov 19)