Snort mailing list archives
Fwd: Create a rule that takes its content from a file.
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Tue, 14 May 2013 10:29:45 -0400
Forwarding to mailing list. ---------- Forwarded message ---------- From: Tony Robinson <deusexmachina667 () gmail com> Date: Tue, May 14, 2013 at 10:29 AM Subject: Re: [Snort-sigs] Create a rule that takes its content from a file. To: arneu sneu <arneu99 () hotmail com> Hm... You may want to look at the file-identify.rules category. This seems to be right up your alley. http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 () hotmail com> wrote:
Hi, I just installed Snort a few days ago and started to play with it by writing my own rules. I would like my rule to take its content from a file, but I haven't find any information on this topic, neither in the manual, nor on the Internet. I found that the content-list keyword once existed in Snort, but it has apparently been removed about 6 years ago. Too bad, because it was exactly what I was looking for. Would anybody have an idea on how to do such a thing with current snort features? I could write a rule for each of the lines of my file or use pcre with the list of possible values, but I was wondering if there was a way to do it with a rule taking its content from a file. If not, what is the correct approach to do this? As an example, if I have a file containing a whitelist of file extensions, I would like to raise an alert when an email attachment having an extension that is not in the list is seen in the network traffic. Many thanks for your help. Cheers Arneu ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- when does reality end? when does fantasy begin? -- when does reality end? when does fantasy begin?
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Create a rule that takes its content from a file. arneu sneu (May 14)
- Message not available
- Fwd: Create a rule that takes its content from a file. Tony Robinson (May 14)
- Message not available
- Re: Create a rule that takes its content from a file. Joel Esler (May 14)
- Message not available
- Message not available
- Re: Create a rule that takes its content from a file. Tony Robinson (May 14)
- Re: Create a rule that takes its content from a file. arneu sneu (May 15)
- Message not available