Snort mailing list archives
Re: Question
From: wkitty42 () windstream net
Date: Sat, 23 Sep 2017 12:20:08 -0400
On 09/22/2017 06:26 PM, William Pearson wrote:
Jim,Yeah, I know, but it's much easier to manage if it lists things by the msg in the rule.So, for example this rule,alert tcp $HOME_NET any -> [31.214.157.227,31.41.44.130] any (msg:"ET CNC Ransomware Tracker Reported CnC Server TCP group 86"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC <http://doc.emergingthreats.net/bin/view/Main/BotCC>; reference:url,$I want it to say "ET CNC Ransomware Tracker Reported CnC Server TCP group 86" in BASE.
that's what it should be doing... what are you seeing?could it be that your sidmsg.map file is not up to date with the rules you have loaded?
is it the existence of the "[snort]" link at the beginning that you don't like?
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list unless*
*a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Question William Pearson (Sep 22)
- Re: Question wkitty42 (Sep 22)
- Re: Question Jim Campbell (Sep 22)
- Re: Question William Pearson (Sep 22)
- Re: Question wkitty42 (Sep 23)
- Re: Question William Pearson (Sep 22)