Re: Help with a rule

[Frank Knobbe <frank () knobbe us>]

On Fri, 2009-03-06 at 09:12 -0500, Alex Kirk wrote:
> First of all, depending on just how much you want to log, going with
> "alert" instead of "log" and skipping the "tag:session;" may be smart
> - it would be easy to overload your IDS with this if it's not very
> powerful, or if it's attempting to do anything else.

Haha.... you're missing the point there Alex. I was just being pedantic.
If he wanted to log all HTTP traffic with that Content type, then "log"
would be appropriate (he didn't say alert), and of course you would want
the whole stream.

But I concede...re-reading his email, he just wanted to log every
"packet" with that content type, so the tag was indeed unnecessary.

> * $HTTP_PORTS is actually a default Snort variable, as opposed to
> $PORT_HTTP

Didn't catch that, just did a copy'n'paste from Paul's reply (which is
where your changes are ending up again). My recursion-avoidance system
orders me to discontinue to thread.

Just wanted to make you aware that my reply wasn't exactly serious.
(I'll put more smileys in there next time).

Cheers!
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users