[Snort-users] Help with a rule

Paul Schmehl pschmehl_lists at ...14358...
Thu Mar 5 22:38:56 EST 2009


--On March 5, 2009 6:18:49 PM -0600 Luis Daniel Lucio Quiroz 
<luis.daniel.lucio at ...11827...> wrote:

>
> Hi Oinks,
>
> Can anyone help me on build a rule that makes this:
>
> Logs al http packets that has a text/* mime type.

alert tcp $EXTERNAL_NET any -> $HOME_NET $PORT_HTTP (msg:"text mime type 
detected in web traffic"; content:"Content-Type: text/"; http_header; 
classtype:"web-application-activity"; sid:1000001; rev:1;)

You *do* realize this will capture *every* text/html header, which will be 
a ton of packets if you're tracking any traffic at all?  If you can 
restrict it to something more specific, like text/xml, you'll have many 
less alerts to deal with?

Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying





More information about the Snort-users mailing list