Snort mailing list archives

Re: How to extract part of “content” and print in “msg” of a Snort Alert

From: Jason Haar <Jason_Haar () trimble com>
Date: Thu, 18 Apr 2013 16:21:38 +1200

On 16/04/13 02:59, Joel Esler wrote:


This is not a feature that Snort /currently/ supports in any version.


I'm glad to see the emphasis there Joel ;-)

FYI I implemented it here by getting our alerting script to call the
BASE interface (damned if I was going to figure out the SQL-foo to do
this!) to get the TEXT output from the pcap - and then fiddle that new
data into the alert

You don't need to tell me how horrendous that is - but it works ;-)

Please feel free to save me from going to coders-hell by doing it
natively ;-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

How to extract part of “content” and print in “msg” of a Snort Alert Heshan Perera (Apr 15)
- Re: How to extract part of “content” and print in “msg” of a Snort Alert Joel Esler (Apr 15)
  - Re: How to extract part of “content” and print in “msg” of a Snort Alert Jason Haar (Apr 17)
  - Re: How to extract part of “content” and print in “msg” of a Snort Alert Jeffrey Stebelton (Apr 18)