I have a question about Snort (or maybe any other IDS/IPS, any working solutions would be ok).
The goal is to set up some web interface providing a way to view the whole TCP stream packets of each Snort alert. I'm interested in outgoing packets only. Say, I have to prevent my server from replying with a string "root:x:0:0". So, I add a rule:
reject tcp any any -> any any (content:"root:x:0:0"; flow:to_client; msg:"attack1_to_client"; sid:31337)
and get my alerts logged. Alert log is growing fairly quicky. And I have to find all unique request strings leading to /etc/passwd disclosure, and block all such string.
