Snort mailing list archives
help with rules - data capturing
From: "Timothy Ding" <iolabs () gmail com>
Date: Fri, 21 Dec 2007 12:20:43 -0800
dear list, i need some pointer in writing a rule to capture data with keyword $GPRMC coming from port 13001 into snort database. is this possible with snort? would appreciate any advice. alert tcp any any -> $HOME_NET 13001 (content: "$GPRMC"; \ msg: "display some message" ;) ngrep results ### T 66.xx.xx.xx:30722 -> 20.xx.xx.xx:13001 [AP] ........g...%356939010000676,$GPRMC,002038.000,A,3357.6423,N,1156.98828,W, 0.46,158.11,211207,,,D,+113836653,03d..................... ####### T 66.xx.xx.xx:30722 -> 20.xx.xx.xx:13001 [AP] ........g...%356939010000676,$GPRMC,002348.000,A,3357.6416,N,1156.98827,W, 0.19,169.61,211207,,,D,+113836653,08d..................... ##### regards, Tim
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- help with rules - data capturing Timothy Ding (Dec 21)
- Re: help with rules - data capturing Paul Melson (Dec 21)
- Re: help with rules - data capturing Timothy Ding (Dec 21)
- Re: help with rules - data capturing Joel Esler (Dec 21)
- Re: help with rules - data capturing Paul Melson (Dec 23)
- Re: help with rules - data capturing Timothy Ding (Dec 26)
- Re: help with rules - data capturing Will Metcalf (Dec 26)
- Re: help with rules - data capturing Timothy Ding (Dec 21)
- Re: help with rules - data capturing Paul Melson (Dec 21)