Question
alert tcp any any -> any 443 (msg: Testing HTTP request alert; sid:1000004;) Withe the snort rule above as an example, you may now enter
alert tcp any any -> any 443 (msg: "Testing HTTP request alert"; sid:1000004;)
Withe the snort rule above as an example, you may now enter your own rule (similar rule) to detect the traffic to/from invalid web site you chose. Explain how your rule works in detailsl
I simply created a rule for detecting any traffic whose destination port is equal to 443 (SSL/TLS). This port is used for most of the SSL/TLS enabled web servers. Many web servers are automatically redirect/utilize 443 port for secure connection, even though you specify http://... in your web browser.
Depending upon the actual pattern matching features you want to use in your rule, this port number information may be used or may not be used e.g., if you are trying to detect the occurrence of mdlottery.com in packet payloads.
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started