• Hi guys,
    I have made a simple integration between snort and squid with clamAV. The reason for that is that I want to send IDS syslog messages to my SIEM whenever a virus signature is found. so what I did is to add a snort rule:

    alert tcp any -> any any (content:"squid_clwarn.php"; msg:"malware Found!"; sid:10000005;rev:1;)

    and in my squid config i have this as redirect page whenever virus is detected:
    (notice that im using port 8081 with http and not https or else snort will not get any visibility in the URL...)

    So, in my system log I get this message when a virus is found:

    Jul 12 18:24:01 	snort 	90281 	[1:10000005:1] malware Found! {TCP} ->

    I'm wondering if its possible for snort to get some more information from the redirected URL from squid?
    the whole URL snort redirect a user to look like this: Eicar-Test-Signature FOUND

    so it would be nice to get the variable stream:"Eicar-Test-Signature FOUND" and where its trying to download it from...

    Is that possible?