Snort mailing list archives
RE: New snort rule lookup
From: John Hally <JHally () epnet com>
Date: Tue, 29 Mar 2005 01:29:28 -0500
Thanks Frank, At some point I'll probably look at hacking snortcenter2 to do it for me, til then, grep it is. Thanks! -----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Monday, March 28, 2005 4:45 PM To: John Hally Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] New snort rule lookup On Mon, 2005-03-28 at 16:06 -0500, John Hally wrote:
I noticed that the new rule lookup doesn't have the actual rule syntax included as it did before. Was this planned? I found that helped a LOT when trying to determine if the alert was malicious or not.
Heya John! My guess would be that the web site is not able to distinguish between the GPL rules and the VRT rules. Thus the web site does not display the actual rules anymore. As you recall, you have to sign up for the VRT rules. That said, "grep 'sid:1234567' *.rules" works just as well. Just take a look at the Snort rule themselves. Cheers, Frank ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New snort rule lookup John Hally (Mar 28)
- Re: New snort rule lookup Frank Knobbe (Mar 28)
- Re: New snort rule lookup Brian (Mar 28)
- <Possible follow-ups>
- RE: New snort rule lookup John Hally (Mar 28)
- Re: New snort rule lookup Frank Knobbe (Mar 28)