Snort mailing list archives
Re: Need help 'log to' option of the snort rule
From: manjushree ks <manjushree.ks () hotmail com>
Date: Fri, 26 Mar 2010 19:59:43 +0530
Hello L0rd Ch0de1m0rt, Thanks so much for the suggestions, Sure, I would consider your suggestion of changing ' any ' to $HTTP_PORTS variable. SEcondly, My idea of writing this snort rule is that an alert needs to be triggered every time a youtube video is played whether it is played from youtube.com or from any other website. The rule should fire alerts at most once every two minutes. In addition, a log file named youtubeviolation.log should be created every time the alert is raised. Do you suggest me to use the 'http_header' after the content match? I am using snort 2.8.5.3 Thanks again :) Manju
Date: Fri, 26 Mar 2010 09:13:22 -0500 Subject: Re: [Snort-sigs] Need help 'log to' option of the snort rule From: l0rdch0de1m0rt () gmail com To: manjushree.ks () hotmail com CC: snort-sigs () lists sourceforge net Hello, this is L0rd Ch0de1m0rt. I do not know why it is not logging correctly but might I kindly make some suggestions about the rule? First, I would suggest that the destination port be 80 or your $HTTP_PORTS variable. Next, I would suggest that you look for "youtube.com" in the HTTP headers only (just add 'http_header' after the content match) since it should be in the HTTP Host header if the browser is compatible with HTTP 1.1. Of course, this can be bypassed but nowadays, pretty much all browsers are HTTP 1.1 compliant and send the Host header by default. What version of snort are you running? Maybe it doesn't support the logto directive if it is older. Cheers, -L0rd Ch0de1m0rt On 3/26/10, manjushree ks <manjushree.ks () hotmail com> wrote:Hi again, Sorry, A small correction in the rule, It would be, alert tcp any any -> any any (msg:"Policy Violation : YOUTUBE is visited via a different site"; content:"youtube.com"; threshold: type both, track by_src,count 1, seconds 120;\ logto:"/etc/snort/youtubeviolation.log1"; classtype:policy-violation;sid:7000002;) Regards, Manju From: manjushree.ks () hotmail com To: snort-sigs () lists sourceforge net Date: Fri, 26 Mar 2010 19:02:00 +0530 Subject: [Snort-sigs] Need help 'log to' option of the snort rule Hi, This is Manju writing in to request any suggestions on the below snort rule, I have a rule here which would be required to create a log file inorder to log in any of the alerts detected due to the visit of ' youtube .com' site . But unfortunately its not creating any of the file named youtubeviolation1.log in the specified directory. Could anybody throw some light on this? below is the rule, alert tcp any any -> any any (msg:"Policy Violation : YOUTUBE is visited via a different site"; content:"youtube.com"; threshold: type both, track by_src,count 1, seconds 120;\ logto:"/etc/snort/youtubeviolation.log"; classtype:policy-violation;sid:7000002;) Thanks! Manju
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Need help 'log to' option of the snort rule manjushree ks (Mar 26)
- Re: Need help 'log to' option of the snort rule manjushree ks (Mar 26)
- Re: Need help 'log to' option of the snort rule L0rd Ch0de1m0rt (Mar 26)
- Re: Need help 'log to' option of the snort rule manjushree ks (Mar 26)
- Re: Need help 'log to' option of the snort rule L0rd Ch0de1m0rt (Mar 26)
- Re: Need help 'log to' option of the snort rule L0rd Ch0de1m0rt (Mar 26)
- Re: Need help 'log to' option of the snort rule Alex Tatistcheff (Mar 26)
- Re: Need help 'log to' option of the snort rule manjushree ks (Mar 26)