[Snort-devel] HTTP content filtering

npkg at ...1093... npkg at ...1093...
Thu Jan 24 23:51:05 EST 2002


Hello Everyone,

          I am trying to build a HTTP content filter that would scan for a
person's web session. This could be a mail session or a browsing session
or FTP session etc. Snort, as I understand can do content filtering when
specified in the content keyword. But this does not differentiate the
content based on different headers. Say for example, the content
"xyz_sexy" in the email name on a public domain say
xyz_sexy at ...1097... would not be differentiated from the content
"xyz_sexy" in a porn website. And if we try to log on the particular
content, then both are logged.
   I would like to be able to differntiate based on the location of a
particular content. Are there any suggestions.The sp_pattern_match.c file
does the content filtering, but that is based on just the content alone.
Are there any suggestions on how I can tweak it to my requirement.
        Any ideas will be appreciated.
                        Thank you
                                                       Gangadhar



-----------------------------------------
This email was sent using SquirrelMail.
   "Webmail for nuts!"
http://squirrelmail.org/






More information about the Snort-devel mailing list