[Snort-users] wish list...
emf at ...367...
Thu Sep 28 16:00:48 EDT 2000
Just to stimulate discussion, there's a couple of things I'd like to be
able to accomplish...
1) full http decoding into header fields, so that we can search for
things in specific http headers (or NOT in specific headers, as the
case may be)
a way to say "Match in the packet but only until you run into
string 'foo', and then give up searching" ("depth" isn't really
flexable enough as the initial command of an http request can be
arbitrarily long, but we'd like to only search in that up to the
example: elimination of false positives based on Referer: header.
2) "give me the previous (n) packet(s)" option.
example: when we match on something like "530 Login incorrect"
(ftp bad login), it would be very nice to be able to go back
a couple of packets in the stream and save what USER was attempted,
but it's impactical to alert on all USER attempts just to be able
to correlate later.
I don't know if either of these are feasable.
Security Administrator, ServerVault, Inc.
More information about the Snort-users