[Snort-users] Help with a rule

Frank Knobbe frank at ...9761...
Thu Mar 5 23:21:28 EST 2009


On Thu, 2009-03-05 at 21:38 -0600, Paul Schmehl wrote:
> > Logs al http packets that has a text/* mime type.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $PORT_HTTP (msg:"text mime type 
> detected in web traffic"; content:"Content-Type: text/"; http_header; 
> classtype:"web-application-activity"; sid:1000001; rev:1;)

Does it capture all packets? Does it log? (Your rule alerts)

Strictly speaking, you probably would want to use the following
modifications for his specific need:

log tcp any any -> any $PORT_HTTP (msg:"text mime type 
detected in web traffic"; content:"Content-Type: text/"; http_header; 
classtype:"web-application-activity"; sid:1000001; rev:1; tag:session;)

:)

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090305/4e294bff/attachment.sig>


More information about the Snort-users mailing list