Snort mailing list archives
Re: Create a rule that takes its content from a file.
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 14 May 2013 11:40:37 -0500
I am not sure what you mean by "takes it's content from a file" -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On May 14, 2013, at 9:07 AM, arneu sneu <arneu99 () hotmail com> wrote:
Hi, I just installed Snort a few days ago and started to play with it by writing my own rules. I would like my rule to take its content from a file, but I haven't find any information on this topic, neither in the manual, nor on the Internet. I found that the content-list keyword once existed in Snort, but it has apparently been removed about 6 years ago. Too bad, because it was exactly what I was looking for. Would anybody have an idea on how to do such a thing with current snort features? I could write a rule for each of the lines of my file or use pcre with the list of possible values, but I was wondering if there was a way to do it with a rule taking its content from a file. If not, what is the correct approach to do this? As an example, if I have a file containing a whitelist of file extensions, I would like to raise an alert when an email attachment having an extension that is not in the list is seen in the network traffic. Many thanks for your help. Cheers Arneu ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Create a rule that takes its content from a file. arneu sneu (May 14)
- Message not available
- Fwd: Create a rule that takes its content from a file. Tony Robinson (May 14)
- Message not available
- Re: Create a rule that takes its content from a file. Joel Esler (May 14)
- Message not available
- Message not available
- Re: Create a rule that takes its content from a file. Tony Robinson (May 14)
- Re: Create a rule that takes its content from a file. arneu sneu (May 15)
- Message not available