Snort mailing list archives
Re: [Snort-user] dynamic variable for content match
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 26 Jan 2015 20:34:05 +0000
I think what you are saying is that you want to: 1) type into a terminal 2) have that word added to a rule 3) have snort alert based on that content in that rule If so you are probably going to have to create something for this as it will need to get the input, write/save the rule and reload snort again each time. I am not aware of a way to do this "cleanly". Maybe someone else can chime in if they have had experience with that. Sorry in advance if I misinterpreted what you were asking. Hope this helps. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: zT [mailto:zzahra88 () gmail com] Sent: Monday, January 26, 2015 3:16 PM To: snort-users Subject: [Snort-users] [Snort-user] dynamic variable for content match hello All, i am new in snort. i want to get a keyword from ubunt terminal and search it in packet( content match). do this with static value is something like this: alert tcp any any -> any any (msg:" your content found"; sid:100000; content:"something to find"; ) Any help is highly appreciated. Thanks and Regards, ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [Snort-user] dynamic variable for content match zT (Jan 26)
- Re: [Snort-user] dynamic variable for content match Al Lewis (allewi) (Jan 26)
- Re: [Snort-user] dynamic variable for content match zT (Jan 26)
- Re: [Snort-user] dynamic variable for content match waldo kitty (Jan 27)
- Re: [Snort-user] dynamic variable for content match zT (Jan 27)
- Re: [Snort-user] dynamic variable for content match waldo kitty (Jan 28)
- Re: [Snort-user] dynamic variable for content match zT (Jan 28)
- Re: [Snort-user] dynamic variable for content match Al Lewis (allewi) (Jan 29)
- Re: [Snort-user] dynamic variable for content match zT (Jan 29)
- Re: [Snort-user] dynamic variable for content match zT (Jan 26)
- Re: [Snort-user] dynamic variable for content match Al Lewis (allewi) (Jan 26)