I need to monitor a specific users traffic on port 80 and I would like to use a Snort alert rule so that the traffic is stored in mysql on my IDS box.
I have tried this simple rule but it does not work. IP changed to protect the innocent :-)
alert tcp 10.x.x.x 80 -> any any (msg:"10.x.x.x Web Traffic Alert";)
Since my Snort box sits between the firewall and the main router, it is ideal for monitoring the traffic.
Can anyone give me a rule that will accomplish what I need?