[Snort-sigs] Web Traffic Rule

Jason Haar Jason.Haar at ...651...
Fri Feb 15 21:15:54 EST 2008

Michael Wisniewski wrote:
> I know everybody is against me (and others) using snort to do
> this...but can I pretty please have a rule that will log web traffic
> and the URL path the users go to?  :-)
You can't. Snort doesn't support the concept of making some part of the 
captured event part of the alert description. I myself have asked for 
such a feature before.

(so I'll try again ;-)

It would be great if you could write rules like:

alert tcp any any -> any 80 (msg:"You are going to $1";content:"GET 
([^\s]+) HTTP/";xxxx);

Quite often snort captures 'interesting things', and you have to access 
the database to see what it was - instead of directly seeing it within 
the "msg" value.

(then again, the probable reason snort doesn't do this is performance).

Thinking further, maybe this could be done by barnyard - the performance 
overhead wouldn't matter there...


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list