Re: Rule to detect search engines

[waldo kitty <wkitty42 () windstream net>]

On 7/1/2013 07:20, Borja Luaces wrote:
> Hello all,
>
> I am updating some rules to detect phishing sites against our customer and I was
> wondering if someone has created a rule set to "disable" search engine impacts.
>
> I was firstly thinking about adding to each rule some pcre, one for each mayor
> search engine (google, bing, yahoo,...) but I think this is nonsense.

actually, in your case, that is the way to go...

> As second option I though about creating a white list but I have no access to
> create it, I am only allowed to create rules.
>
> Any other idea?

in your phishing rules, set a flowbit... then in your rules to detect if it is a 
search engine, unset that flowbit... at the end, one rule to check the 
flowbit... if it is still set, then fire the phishing alert otherwise it is a 
search engine and the phishing alert is not fired...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!