[Snort-users] Help with a rule

Luis Daniel Lucio Quiroz luis.daniel.lucio at ...11827...
Fri Mar 6 00:31:17 EST 2009


Thanks to all

Yes I know. huge storage.  But silly programmers didnt program their 
application to log anything.  Management in a panic try of compensation they 
want to log HTML session for later review.  Not my decision, customer 
commands. jejeje!

On Thursday 05 March 2009 22:21:28 Frank Knobbe wrote:
> On Thu, 2009-03-05 at 21:38 -0600, Paul Schmehl wrote:
> > > Logs al http packets that has a text/* mime type.
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET $PORT_HTTP (msg:"text mime type
> > detected in web traffic"; content:"Content-Type: text/"; http_header;
> > classtype:"web-application-activity"; sid:1000001; rev:1;)
>
> Does it capture all packets? Does it log? (Your rule alerts)
>
> Strictly speaking, you probably would want to use the following
> modifications for his specific need:
>
> log tcp any any -> any $PORT_HTTP (msg:"text mime type
> detected in web traffic"; content:"Content-Type: text/"; http_header;
> classtype:"web-application-activity"; sid:1000001; rev:1; tag:session;)
>
> :)
>
> Cheers,
> Frank






More information about the Snort-users mailing list