1

The aim is to detect, if anyone in the HOME_NET is searching for "terrorism" and generate an alert. I am using Snort 2.9 installed in a virtual machine (VirtualBox) running Ubuntu 18.04.

This same qs was asked here but remains unanswered.

For testing purpose, HOME_NET is set as a single machine (192.168.30.102)

The created rule is as follows:

alert tcp $HOME_NET any -> any any (msg:"terrrorism content found"; content:"terrorism"; nocase; sid:10000002;)

This is referred from the excellent video by Dr. Philip Craiger here.
A few other variations also attempted as suggested here and here:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"terrrorism content found"; content:"terrorism"; nocase; sid:10000002;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"terrrorism content found"; content:"terrorism"; http_uri; sid:10000002;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"terrrorism content found"; content:"terrorism"; http_client_body; sid:10000002;)

For testing, a simple google search was done in the web browser (firefox). However no alerts are getting generated.

The rule to detect the word "HTTP" was executed properly:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP found"; content:"HTTP"; sid:10000002;)

This is a fairly simple rule because 'HTTP' is the first word in the packet application data. However any variation of the previous rule as described above doesn't seem to be working. Alerts are not getting generated.

I would appreciate if anyone could point me in the right direction.

kgkmeekg
  • 524
  • 2
  • 8
  • 17

1 Answers1

0

For future reference:

Google as well as most of the web search engines run via a HTTPS connection. Hence the application layer packets are encrypted and cannot be parsed by Snort.
Snort can be applied only to unencrypted packets.

Further detail regarding this can be found here.

kgkmeekg
  • 524
  • 2
  • 8
  • 17