27Şub
Snort rule is not working correctly. It needs to alert when htpps page is accessed
I'm trying to create a Snort rule that alerts me when users on my network visit certain prohibited websites. I have a partially working rule, but I'm encountering issues with the HTTP protocol specifically.
What works
My rule works when monitoring traffic on port 443:
alert tcp any any -> any 443 nocase; msg: "prohibited site access detected"; sid: 1000004;)
What doesn't work
When I try to modify the rule to include HTTP content inspection using http_url, I don't receive any alerts:
alert tcp any any -> any 443 (content: "bizballotonline.azurewebsites.net"; http_url; nocase; msg: "prohibited site access detected"; sid: 1000004;)
My environment
- Snort version: [virtual linux on windows 10 machine]
- Operating system: [specify OS]
- Network setup: [home network]
Questions
- What's the correct syntax for using
http_urlin Snort rules to inspect HTTP traffic? - Should I be using different ports (80 for HTTP, 443 for HTTPS) with different rule configurations?
- Are there additional HTTP-specific keywords I should include in my rule?
