Snort mailing list archives
Re: writting alert rules
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 02 Nov 2012 18:43:08 -0400
On 11/1/2012 18:15, Akinwale Fasuru wrote:
Hi, I wrote a rule for alert on visiting www.youtube.com alert rule alert tcp any any => any any (msg:"someone is on youtube now!"; content:"www.youtube.com"; sid:1000002;rev:1;)
as noted already, 1. the "=>" should be "->" 2. the content match is much too general... it will match on these messages with that phrase... the first step to tightening it up would be to limit it in directionality... alert tcp any any -> any any (msg:"someone is on youtube now!"; flow:to_server; content:www.youtube.com"; sid:1000002; rev:2;) the next step would be to limit the port... i'd say port 80 since youtube is a web service... alert tcp any any -> any 80 (msg:"someone is on youtube now!"; flow:to_server; content:www.youtube.com"; sid:1000002; rev:3;) then you'd also want to limit it to only url requests... depending on your setup, that might mean looking at the http_headers OR looking specifically for the "Host:" line in raw headers... you would also want to limit it to outbound requests from your internal network(s)... that means looking for the originating side to be HOME_NET... i'll leave those last refinements up to you to figure out since it is dependent on your configuration of snort... they are not the only refinements that may be needed, though... there could easily be others ;) ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- writting alert rules Akinwale Fasuru (Nov 01)
- Re: writting alert rules Marcos Rodriguez (Nov 01)
- Re: writting alert rules Jefferson, Shawn (Nov 01)
- Re: writting alert rules Akinwale Fasuru (Nov 02)
- Re: writting alert rules waldo kitty (Nov 02)
- Re: writting alert rules waldo kitty (Nov 02)
- Re: writting alert rules Marcos Rodriguez (Nov 01)