Snort mailing list archives
Re: Help with snort rule and notifications
From: Trever Leingod <treverleingod () hotmail com>
Date: Sun, 16 Feb 2014 17:23:39 -0500
Yes it is exactly as I put it in. The port number might be the issue then, some example I saw used the IP twice. I
cannot seem to find the port number for this website though. I'll try to find it and try again. Thanks.
Trever
Date: Sat, 15 Feb 2014 19:56:15 -0700
Subject: Re: [Snort-users] Help with snort rule and notifications
From: jthoel () gmail com
To: treverleingod () hotmail com
CC: snort-users () lists sourceforge net
Is this the rule exactly as you put it in? You have the ip in twice and it should be 'ip<space>port' where port is
probably [80,443] depending on how you access the site.
On Feb 15, 2014 5:11 PM, "Trever Leingod" <treverleingod () hotmail com> wrote:
Thanks for the input, Ed. I have tried what you suggested.
I made a new rule based on the rules already present:
"alert tcp any any -> 173.254.252.81 173.254.252.81 (msg: " **Alert gtx0.com has been opened**")"
(IP used above is the one for www.gtx0.com)
I used command "snort -d" and opened up gtx0.com in a browser but no notifications or logs were given. Any further
tips, anyone?
--Trever Leingod--
CC: snort-users () lists sourceforge net
From: SnortFan () yahoo com
Subject: Re: [Snort-users] Help with snort rule and notifications
Date: Sat, 15 Feb 2014 11:02:14 -0500
To: treverleingod () hotmail com
Here's a quick and dirty way. You can take another rule and copy it. Then you have to pick a Sid that's not in use.
Change the msg content to the URL.
If you create a new rules file, you will have to include it in your snort.conf.
If you using something like barnyard2 there's more to do.
Cheers,Ed
Sent from a mobile device.
On Feb 14, 2014, at 4:33 PM, Trever Leingod <treverleingod () hotmail com> wrote:
I am quite new to using Snort.
I was hoping to get pointers on how write a rule to get notification
if a certain website, like say www.facebook.com, is opened in a web browser, and how would I get this
notification/alert to show.
Trever Leingod
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Help with snort rule and notifications Trever Leingod (Feb 14)
- Re: Help with snort rule and notifications SnortFan (Feb 15)
- Re: Help with snort rule and notifications Trever Leingod (Feb 15)
- Re: Help with snort rule and notifications Jeremy Hoel (Feb 15)
- Re: Help with snort rule and notifications Trever Leingod (Feb 16)
- Re: Help with snort rule and notifications Carter Waxman (cwaxman) (Feb 17)
- Message not available
- FW: Help with snort rule and notifications Trever Leingod (Feb 17)
- Re: FW: Help with snort rule and notifications Carter Waxman (cwaxman) (Feb 17)
- Re: FW: Help with snort rule and notifications Trever Leingod (Feb 17)
- Re: FW: Help with snort rule and notifications Carter Waxman (cwaxman) (Feb 17)
- Message not available
- FW: FW: Help with snort rule and notifications Trever Leingod (Feb 17)
- Re: FW: FW: Help with snort rule and notifications Carter Waxman (cwaxman) (Feb 18)
- Re: FW: FW: Help with snort rule and notifications Trever Leingod (Feb 18)
- Re: FW: FW: Help with snort rule and notifications Carter Waxman (cwaxman) (Feb 19)
- Re: Help with snort rule and notifications Trever Leingod (Feb 15)
- Re: Help with snort rule and notifications SnortFan (Feb 15)