Snort mailing list archives
Re: Using a var in the conf and local rules
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 25 Feb 2013 15:29:05 -0500
On Feb 25, 2013, at 3:06 PM, "Lay, James" <james.lay () wincofoods com> wrote:
From: honeybadger () q com [mailto:honeybadger () q com] Hey all, I am adding scanners for 600+ suspect IPs in a text file. Ok adding in include snort.var Adding var IP_RULES Then tcp any any - > $IP_RULES any (msg:"suspect IP detected; sid 4525;) I would like if the alert would tell me which IP it found. Usually I would use a content but this is different. Any know how to set this up? Thanks, Wonder if adding these to the reputation blacklist would do the trick? Not sure. James
I'd recommend the IP reputation blacklist for that. Instead of doing IP rules. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Using a var in the conf and local rules honeybadger (Feb 25)
- Re: Using a var in the conf and local rules waldo kitty (Feb 25)
- Re: Using a var in the conf and local rules Lay, James (Feb 25)
- Message not available
- Re: Using a var in the conf and local rules Lay, James (Feb 25)
- Re: Using a var in the conf and local rules Stephen Mintz (Feb 25)
- Re: Using a var in the conf and local rules JJ Cummings (Feb 25)
- Re: Using a var in the conf and local rules Joel Esler (Feb 25)
- Message not available
- Re: Using a var in the conf and local rules Joel Esler (Feb 25)