[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 749
  • Last Modified:

Snort rule creation

I am creating a rule for snort to alert me on traffic that hits any search engine. I have little knowledge of the program. I would like to set it up so whenever someone goes out to google, bing, yahoo, or any others, it will alert me. I read something about using a $ sign in the rule. Thanks.
0
Justin_Edmands
Asked:
Justin_Edmands
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
http://doc.emergingthreats.net/bin/view/Main/SnortSigs101
Using $ would mean your making a variable source, destination or a list... it's used so you can define your home_network, your dns_servers, your http_servers... you can use it to define search engine domains.
Look at "var AIM_SERVERS" in your snort.conf file as an example, to call that var, just use $AOL_SERVERS
Read the docs/readme.varibles file for even further explanations.
This will log an alert for the string  "google.com/search?"
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (flow:to_server,established; content:"67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 61 72 63 68 3f "; sid:12345678; rev:1;)

There are some search rules in the snort rules already like in policy.rules for google desktop search for instance.
-rich
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now