Snort mailing list archives
Re: the snort3 how to support the suricata rules ? like this keywords?
From: "Joel Esler \(jesler\) via Snort-devel" <snort-devel () lists snort org>
Date: Tue, 2 Feb 2021 14:41:57 +0000
Hit send too fast, sorry.. While we do not support suricata rules http_header is very flexible in Snort 3. It can be used in conjunction with any header field arbitrarily without having to add rule options to the engine: snort_user.html <https://snort.org/downloads/snortplus/snort_user.html> Please check out the section on the HTTP preprocessor (can be found on the left) -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com | https://www.snort.org
On Feb 2, 2021, at 9:26 AM, Joel Esler (jesler) via Snort-devel <snort-devel () lists snort org> wrote: We do not support suricata rules. -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com <http://www.talosintelligence.com/> | https://www.snort.org <https://www.snort.org/>On Feb 1, 2021, at 8:11 PM, 15135147016--- via Snort-devel <snort-devel () lists snort org <mailto:snort-devel () lists snort org>> wrote: the snort3 how to support the suricata rules ? like this keywords? Keyword Legacy Content Modifier Direction http.uri http_uri Request http.uri.raw http_raw_uri Request http.method http_method Request http.request_line http_request_line (*) Request http.request_body http_client_body Request http.header http_header Both http.header.raw http_raw_header Both http.cookie http_cookie Both http.user_agent http_user_agent Request http.host http_host Request http.host.raw http_raw_host Request http.accept http_accept (*) Request http.accept_lang http_accept_lang (*) Request http.accept_enc http_accept_enc (*) Request http.referer http_referer (*) Request http.connection http_connection (*) Request http.content_type http_content_type (*) Both http.content_len http_content_len (*) Both http.start http_start (*) Both http.protocol http_protocol (*) Both http.header_names http_header_names (*) Both 15135147016 () 163 com <mailto:15135147016 () 163 com> _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org <mailto:Snort-devel () lists snort org> https://lists.snort.org/mailman/listinfo/snort-devel <https://lists.snort.org/mailman/listinfo/snort-devel> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Bug in alert_syslog module? W. Michael Petullo (Jan 31)
- Re: Bug in alert_syslog module? Michael Altizer (mialtize) via Snort-devel (Feb 01)
- the snort3 how to support the suricata rules ? like this keywords? 15135147016--- via Snort-devel (Feb 02)
- Re: the snort3 how to support the suricata rules ? like this keywords? Joel Esler (jesler) via Snort-devel (Feb 02)
- Re: the snort3 how to support the suricata rules ? like this keywords? Joel Esler (jesler) via Snort-devel (Feb 02)
- the snort3 how to support the suricata rules ? like this keywords? 15135147016--- via Snort-devel (Feb 02)
- Re: Bug in alert_syslog module? Michael Altizer (mialtize) via Snort-devel (Feb 01)