Snort mailing list archives
Re: Feature Request: regex matching available as $n strings for msg:?
From: Jeff Nathan <jeff () snort org>
Date: Sun, 22 Jun 2003 22:47:08 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 you seek snort-perl or snort-pcre. http://www.snort.org/dl/contrib/patches/ Go forth and be merry. - -Jeff - --On Monday, June 23, 2003 13:54 +1200 Jason Haar <Jason.Haar () trimble co nz> wrote:
Says it all really. I know the regex support isn't live yet, but... There are quite a few rules where it would be most useful if you could actually "see" some of the data that triggered the alert. e.g. if you wanted to log the username of all attempted FTP logins, you could do something like: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 \ (msg:"Attempted FTP login by $1"; \ flow:to_server,established; \ regex:"USER ([^\s]+)";) For realtime alerting in the current implementation, post-processing such information is really next to impossible as you either have to interact with the SQL database, or with raw tcpdump logs... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- http://cerberus.sourcefire.com/~jeff (gpg key available) Great spirits have always encountered violent opposition from mediocre minds. - - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+9pRgEqr8+Gkj0/0RAtCoAJ0QnBDq65BQHDgFeKyyn8eAD4salwCgsujh kpzW2C9SBCl9g6BprRv+JWY= =FD9p -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Feature Request: regex matching available as $n strings for msg:? Jason Haar (Jun 22)
- Re: Feature Request: regex matching available as $n strings for msg:? Jeff Nathan (Jun 22)