Re: Help with a rule

[Luis Daniel Lucio Quiroz <luis.daniel.lucio () gmail com>]

Thanks to all

Yes I know. huge storage.  But silly programmers didnt program their 
application to log anything.  Management in a panic try of compensation they 
want to log HTML session for later review.  Not my decision, customer 
commands. jejeje!

On Thursday 05 March 2009 22:21:28 Frank Knobbe wrote:
> On Thu, 2009-03-05 at 21:38 -0600, Paul Schmehl wrote:
> > > Logs al http packets that has a text/* mime type.
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET $PORT_HTTP (msg:"text mime type
> > detected in web traffic"; content:"Content-Type: text/"; http_header;
> > classtype:"web-application-activity"; sid:1000001; rev:1;)
>
> Does it capture all packets? Does it log? (Your rule alerts)
>
> Strictly speaking, you probably would want to use the following
> modifications for his specific need:
>
> log tcp any any -> any $PORT_HTTP (msg:"text mime type
> detected in web traffic"; content:"Content-Type: text/"; http_header;
> classtype:"web-application-activity"; sid:1000001; rev:1; tag:session;)
>
> :)
>
> Cheers,
> Frank



------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users