Have you looked at trying to use the ruletype option for snort? I believe you can create a ruletype that defines a spyware ruletype
ruletype spyware
{
type log
output log_tcpdump: spyware.log
}
then use the rule type as an action.
spyware tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE what ever"; flow: established,to_server; uricontent:"spyware.exe"; nocase; reference: url,spyware.com; classtype: trojan-activity; sid: 111111111; rev:1; )
I am guessing, hadn't really tried it myself, but reading the documentation on snort.org, this is how I interpet it.
http://www.snort.org/docs/snort_htma...60/node17.html
Reply With Quote