[Snort-users] wish list...

Erik Fichtner emf at ...367...
Thu Sep 28 16:00:48 EDT 2000

Just to stimulate discussion, there's a couple of things I'd like to be
able to accomplish...  

1)	full http decoding into header fields, so that we can search for
	things in specific http headers (or NOT in specific headers, as the
	case may be)  


	a way to say "Match in the packet but only until you run into 
	string 'foo', and then give up searching"    ("depth" isn't really
	flexable enough as the initial command of an http request can be 
	arbitrarily long, but we'd like to only search in that up to the

	example:  elimination of false positives based on Referer: header.

2)	"give me the previous (n) packet(s)" option.  

	example:   when we match on something like "530 Login incorrect"
	(ftp bad login), it would be very nice to be able to go back
	a couple of packets in the stream and save what USER was attempted,
	but it's impactical to alert on all USER attempts just to be able
	to correlate later.

I don't know if either of these are feasable.

Erik Fichtner
Security Administrator, ServerVault, Inc.

More information about the Snort-users mailing list