Snort mailing list archives
reference port data in rule msg
From: "Stephen Gill" <gillsr () yahoo com>
Date: Tue, 19 Mar 2002 21:17:45 -0800
Hi all, Does anyone know if there is a way to reference the actual tcp/udp port and/or other information of a packet when it matches a particular rule (ie. protocol, etc.)? I would like to configure a snort rule with a dynamic text message based on the actual port that is being probed. I would like all traffic destined to a particular IP address to be logged as a probe along with the actual port and protocol information in the text field. What might be the best way of accomplishing this? Instead of: alert tcp $EXTERNAL_NET any -> $FAKE_NET 1 (msg:"Probe 1 / tcp";classtype:bad-unknown; sid:9990; rev:1;) alert udp $EXTERNAL_NET any -> $FAKE_NET 1 (msg:"Probe 1 / udp";classtype:bad-unknown; sid:9991; rev:1;) alert tcp $EXTERNAL_NET any -> $FAKE_NET 2 (msg:"Probe 2 / tcp";classtype:bad-unknown; sid:9993; rev:1;) alert udp $EXTERNAL_NET any -> $FAKE_NET 2 (msg:"Probe 2 / udp";classtype:bad-unknown; sid:9994; rev:1;) . (as you can see this can become quite tedious and would generate a lot of unnecessary rules). I need something like: alert tcp $EXTERNAL_NET any -> $FAKE_NET :1024 (msg:"Probe $PORT / tcp";classtype:bad-unknown; sid:9990; rev:1;) alert udp $EXTERNAL_NET any -> $FAKE_NET :1024 (msg:"Probe $PORT / udp";classtype:bad-unknown; sid:9991; rev:1;) One possibility is to configure the above rules to LOG, and then use a parser to create my own customized messages and forward them along but it would seem like a big waste if this can be done inside of snort. Any advice would be greatly appreciated. Thanks! -- steve
Current thread:
- reference port data in rule msg Stephen Gill (Mar 19)
- Re: reference port data in rule msg Brian (Mar 20)