Snort rule to alert on a single IP port 80 traffic ??

I need to monitor a specific users traffic on port 80 and I would like to use a Snort alert rule so that the traffic is stored in mysql on my IDS box.

I have tried this simple rule but it does not work.  IP changed to protect the innocent :-)

alert tcp 10.x.x.x 80 -> any any (msg:"10.x.x.x Web Traffic Alert";)

Since my Snort box sits between the firewall and the main router, it is ideal for monitoring the traffic.

Can anyone give me a rule that will accomplish what I need?

Thanks,

Craig
LVL 3
Craig SharpLead Enginneer - Unix Server TeamAsked:
Who is Participating?
 
syn_ack_finConnect With a Mentor Commented:
Try this one:
alert tcp 10.x.x.x any -> any 80
or if correct variables are set
alert tcp $HOME_NET any -> $EXTERNAL_NET 80

The source port will not be 80 the destination port will be.

Good luck.
0
 
Craig SharpLead Enginneer - Unix Server TeamAuthor Commented:
Since I want to monitor traffic from a single source address, would I write the rule like this?

alert tcp 10.50.x.x any -> any 80 (msg:"10.50.x.x Web Traffic Alert";)
0
 
syn_ack_finCommented:
Yes, that should work. The only problem with your original rule was that the ports were switched. Your rule was looking for traffic with a source port of 80, not destination.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.