Craig Sharp
asked on
Snort rule to alert on a single IP port 80 traffic ??
I need to monitor a specific users traffic on port 80 and I would like to use a Snort alert rule so that the traffic is stored in mysql on my IDS box.
I have tried this simple rule but it does not work. IP changed to protect the innocent :-)
alert tcp 10.x.x.x 80 -> any any (msg:"10.x.x.x Web Traffic Alert";)
Since my Snort box sits between the firewall and the main router, it is ideal for monitoring the traffic.
Can anyone give me a rule that will accomplish what I need?
Thanks,
Craig
I have tried this simple rule but it does not work. IP changed to protect the innocent :-)
alert tcp 10.x.x.x 80 -> any any (msg:"10.x.x.x Web Traffic Alert";)
Since my Snort box sits between the firewall and the main router, it is ideal for monitoring the traffic.
Can anyone give me a rule that will accomplish what I need?
Thanks,
Craig
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, that should work. The only problem with your original rule was that the ports were switched. Your rule was looking for traffic with a source port of 80, not destination.
ASKER
alert tcp 10.50.x.x any -> any 80 (msg:"10.50.x.x Web Traffic Alert";)