[Snort-sigs] Web Traffic Rule
Jason.Haar at ...651...
Fri Feb 15 21:15:54 EST 2008
Michael Wisniewski wrote:
> I know everybody is against me (and others) using snort to do
> this...but can I pretty please have a rule that will log web traffic
> and the URL path the users go to? :-)
You can't. Snort doesn't support the concept of making some part of the
captured event part of the alert description. I myself have asked for
such a feature before.
(so I'll try again ;-)
It would be great if you could write rules like:
alert tcp any any -> any 80 (msg:"You are going to $1";content:"GET
Quite often snort captures 'interesting things', and you have to access
the database to see what it was - instead of directly seeing it within
the "msg" value.
(then again, the probable reason snort doesn't do this is performance).
Thinking further, maybe this could be done by barnyard - the performance
overhead wouldn't matter there...
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-sigs