|Main Archive Page > Month Archives > snort-users archives|
On Fri, 2009-03-06 at 09:12 -0500, Alex Kirk wrote:
> First of all, depending on just how much you want to log, going with
> "alert" instead of "log" and skipping the "tag:session;" may be smart
> - it would be easy to overload your IDS with this if it's not very
> powerful, or if it's attempting to do anything else.
Haha.... you're missing the point there Alex. I was just being pedantic. If he wanted to log all HTTP traffic with that Content type, then "log" would be appropriate (he didn't say alert), and of course you would want the whole stream.
But I concede...re-reading his email, he just wanted to log every "packet" with that content type, so the tag was indeed unnecessary.
> * $HTTP_PORTS is actually a default Snort variable, as opposed to
Didn't catch that, just did a copy'n'paste from Paul's reply (which is where your changes are ending up again). My recursion-avoidance system orders me to discontinue to thread.
Just wanted to make you aware that my reply wasn't exactly serious. (I'll put more smileys in there next time).