| Main Archive Page > Month Archives > snort-users archives |
Re: [Snort-users] Help with a rule
From: Frank Knobbe <frank_at_nospam>Date: Fri Mar 06 2009 - 18:06:21 GMT
To: Alex Kirk <akirk@sourcefire.com>
On Fri, 2009-03-06 at 09:12 -0500, Alex Kirk wrote:
> First of all, depending on just how much you want to log, going with
> "alert" instead of "log" and skipping the "tag:session;" may be smart
> - it would be easy to overload your IDS with this if it's not very
> powerful, or if it's attempting to do anything else.
Haha.... you're missing the point there Alex. I was just being pedantic. If he wanted to log all HTTP traffic with that Content type, then "log" would be appropriate (he didn't say alert), and of course you would want the whole stream.
But I concede...re-reading his email, he just wanted to log every "packet" with that content type, so the tag was indeed unnecessary.
> * $HTTP_PORTS is actually a default Snort variable, as opposed to
> $PORT_HTTP
Didn't catch that, just did a copy'n'paste from Paul's reply (which is
where your changes are ending up again). My recursion-avoidance system
orders me to discontinue to thread.
Just wanted to make you aware that my reply wasn't exactly serious. (I'll put more smileys in there next time).
Cheers!
Frank
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users