[Snort-users] Include details of payload in log message?

Toby Riddell toby.riddell at ...17573...
Sun Jun 12 06:54:47 EDT 2016


I want to detect activity by bittorrent clients on my home network. When
they start they open a port from the Internet using UPnP IGD, a sample
payload is:

<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
    <NewPortMappingDescription>qBittorrent v3.3.4 at

I want to match AddPortMapping and insert the NewPortMappingDescription
(whether it is qBittorent or some other BT client) into the message. Is
this possible using Snort alone? Is there an add-on to Snort that will do
it for me?

(Google's bringing up nothing so I'm hopeful the mailing list can help :-))


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160612/f126f7df/attachment.html>

More information about the Snort-users mailing list