Re: Help with a rule

[Paul Schmehl <pschmehl_lists () tx rr com>]

--On March 5, 2009 6:18:49 PM -0600 Luis Daniel Lucio Quiroz 
<luis.daniel.lucio () gmail com> wrote:

> Hi Oinks,
>
> Can anyone help me on build a rule that makes this:
>
> Logs al http packets that has a text/* mime type.

alert tcp $EXTERNAL_NET any -> $HOME_NET $PORT_HTTP (msg:"text mime type 
detected in web traffic"; content:"Content-Type: text/"; http_header; 
classtype:"web-application-activity"; sid:1000001; rev:1;)

You *do* realize this will capture *every* text/html header, which will be 
a ton of packets if you're tracking any traffic at all?  If you can 
restrict it to something more specific, like text/xml, you'll have many 
less alerts to deal with?

Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying


------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users