[Snort-users] Help with a rule

Frank Knobbe frank at ...9761...
Fri Mar 6 13:06:21 EST 2009

On Fri, 2009-03-06 at 09:12 -0500, Alex Kirk wrote:
> First of all, depending on just how much you want to log, going with
> "alert" instead of "log" and skipping the "tag:session;" may be smart
> - it would be easy to overload your IDS with this if it's not very
> powerful, or if it's attempting to do anything else.

Haha.... you're missing the point there Alex. I was just being pedantic.
If he wanted to log all HTTP traffic with that Content type, then "log"
would be appropriate (he didn't say alert), and of course you would want
the whole stream.

But I concede...re-reading his email, he just wanted to log every
"packet" with that content type, so the tag was indeed unnecessary.

> * $HTTP_PORTS is actually a default Snort variable, as opposed to

Didn't catch that, just did a copy'n'paste from Paul's reply (which is
where your changes are ending up again). My recursion-avoidance system
orders me to discontinue to thread.

Just wanted to make you aware that my reply wasn't exactly serious.
(I'll put more smileys in there next time).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090306/a6ebb233/attachment.sig>

More information about the Snort-users mailing list