Snort mailing list archives
Re: help with rules - data capturing
From: Joel Esler <joel.esler () sourcefire com>
Date: Fri, 21 Dec 2007 21:29:12 -0500
Rule of thumb. Regardless of the problem you are having, always update to current version (2.8.0.1) before asking for help. That is usually the first troubleshooting step. -- Joel Esler joel.esler () sourcefire com On Dec 21, 2007, at 8:01 PM, Timothy Ding wrote:
many thanks for the reply Paul, i still don't get any results from the rule, could it possibly be the version of snort (ver 2.3.3) that i am using? Regards, Tim I think it should work pretty much as-is, but here is how I would write the rule: alert tcp any any -> $HOME_NET 13001 (msg: "GPRMC found in packet"; \ flow:to_server,established; content:"|24|GPRMC"; nocase; sid:9999000;) Use the flow: directive to only analyze packets that are in-state for the connection described. I also hexified the $ in $GPRMC just to be safe. That way it doesn't get treated like a variable by anything that parses that rule. And then use some non-published sid value so that if you're using BASE, SGUIL, or something else that lets you search/sort by sid values, you can access it. PaulM ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- help with rules - data capturing Timothy Ding (Dec 21)
- Re: help with rules - data capturing Paul Melson (Dec 21)
- Re: help with rules - data capturing Timothy Ding (Dec 21)
- Re: help with rules - data capturing Joel Esler (Dec 21)
- Re: help with rules - data capturing Paul Melson (Dec 23)
- Re: help with rules - data capturing Timothy Ding (Dec 26)
- Re: help with rules - data capturing Will Metcalf (Dec 26)
- Re: help with rules - data capturing Timothy Ding (Dec 21)
- Re: help with rules - data capturing Paul Melson (Dec 21)