Snort mailing list archives
Re: Help with a rule
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Thu, 05 Mar 2009 21:38:56 -0600
--On March 5, 2009 6:18:49 PM -0600 Luis Daniel Lucio Quiroz <luis.daniel.lucio () gmail com> wrote:
Hi Oinks, Can anyone help me on build a rule that makes this: Logs al http packets that has a text/* mime type.
alert tcp $EXTERNAL_NET any -> $HOME_NET $PORT_HTTP (msg:"text mime type detected in web traffic"; content:"Content-Type: text/"; http_header; classtype:"web-application-activity"; sid:1000001; rev:1;) You *do* realize this will capture *every* text/html header, which will be a ton of packets if you're tracking any traffic at all? If you can restrict it to something more specific, like text/xml, you'll have many less alerts to deal with? Paul Schmehl, If it isn't already obvious, my opinions are my own and not those of my employer. ****************************************** WARNING: Check the headers before replying ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with a rule Luis Daniel Lucio Quiroz (Mar 05)
- Re: Help with a rule Joel Esler (Mar 05)
- Re: Help with a rule Paul Schmehl (Mar 05)
- Re: Help with a rule Frank Knobbe (Mar 05)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 05)
- Re: Help with a rule Alex Kirk (Mar 06)
- Re: Help with a rule Frank Knobbe (Mar 06)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Message not available
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Re: Help with a rule Markus Lude (Mar 06)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Re: Help with a rule Frank Knobbe (Mar 05)