Snort mailing list archives

Re: how can we alert on web visiting activity?

From: Jason Brvenik <jasonb () sourcefire com>
Date: Thu, 19 Nov 2009 14:46:27 -0500

please try starting snort without checksum checking. The snort manual
has information about how to do that and to understand why check out
checksum offloading.

On Thu, Nov 19, 2009 at 2:40 PM, mary andrews <maryandrews22 () gmail com> wrote:

just one machine in all, running windows xp, then snort 2.8.5.1

when we open a dos window and issue any ping, it alerts the dos screen onto
which snort is running,
and it also gets logged.

Now from that machine we open an instance of internet explorer 8, and visit
www.ebay.com

we expect to see the alert on the dos screen(or logged in snort) just as the
alert from ping.

should we try something else?

On Thu, Nov 19, 2009 at 2:35 PM, Jason Brvenik <jasonb () sourcefire com>
wrote:


where are you accessing ebay from and where is snort in that equation,
what are the machines involved?

On Thu, Nov 19, 2009 at 2:27 PM, mary andrews <maryandrews22 () gmail com>
wrote:

we are pulling our hair on this one...

alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
content:"ebay"; nocase; rawbytes; sid:1000002;rev:1;)

we are using snort 2.8.5.1 under win XP and the rawbytes didnt help here
either...




On Thu, Nov 19, 2009 at 2:01 PM, evilghost () packetmail net
<evilghost () packetmail net> wrote:


What version of Snort are you using?  I have had issues with content
matching working correctly in the 2.8 branch (as have others at
Emerging
Threats), I was able to get content matching to work as expected by
using the rawbytes option.  See section 3.5.3 in the Snort manual.

content:"ebay"; nocase; rawbytes;

-evilghost


mary andrews wrote:

Hello there, we have a testing.rules file with the following 3 lines

#testing.rules
alert icmp any any -> any any (msg:"$TESTING rule$"; sid:1000001;)
alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
content:"ebay"; nocase; sid:1000002;rev:1;)
we put the rule as generic as we can, of course ebay is just an
example.

ping any site produces the alert $TESTING rule$ on the dos screen
snort
has
been started.

But using Internet Explorer to go to ebay, does not produce any
alert.
Our question is, what part of a rule triggers web visiting activity?

thanks,
m



------------------------------------------------------------------------



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008
30-Day
trial. Simplify your report design, integration and deployment - and
focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008
30-Day
trial. Simplify your report design, integration and deployment - and
focus
on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Re: how can we alert on web visiting activity?, (continued)
- - - Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
    - Re: how can we alert on web visiting activity? Matt Olney (Nov 19)
    - Re: how can we alert on web visiting activity? mary andrews (Nov 19)
    - Re: how can we alert on web visiting activity? Eoin Miller (Nov 19)
    - Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
    - Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
  - Re: how can we alert on web visiting activity? mary andrews (Nov 19)
    - Re: how can we alert on web visiting activity? Weir, Jason (Nov 19)
    - Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
    - Re: how can we alert on web visiting activity? mary andrews (Nov 19)
    - Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
    - Re: how can we alert on web visiting activity? Matt Olney (Nov 19)
- Re: how can we alert on web visiting activity? Weir, Jason (Nov 19)