[Snort-devel] Re: HTTP content filtering

npkg at ...1093... npkg at ...1093...
Fri Jan 25 02:33:07 EST 2002

Hello Everyone,

Imran Wrote :

Well, you could just forget the whole thing, and do it based
on frequency - we will all see some web pages with rude words,
but the more, the more suspicious.  What about doing it primarily
based on the domain name itself, and looking for suspicious words
in that?

But maybe this not your application, you just used it as an example?

   I wish to clarify Imran, that the application does look for a specific
content, lets say the email id on a public domain name, like
xyz at ...1098... is of common knowledge that the id would not be
transmitted as xyz at ...398..., but would be transmitted as xyz with some
associated fields. Now the same xyz can exist in the content of the mail,
right. So what I wanted to know was if there is a way that I can
differntiate the two.
     Counting on the frequency here would not help, as you might be able
to see. And doing it on the domain name also would not be helpful. So if
there is any other way out, please do let me know.
           Thanks in advance.

This email was sent using SquirrelMail.
   "Webmail for nuts!"

More information about the Snort-devel mailing list