Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question

From: wkitty42 () windstream net
Date: Fri, 22 Sep 2017 12:47:53 -0400
On 09/22/2017 11:46 AM, William Pearson wrote:
I'm using BASE, and the results snort is giving me is beyond vague. I presume this is an issue with the rules and preprocessing. I couldn't care less about what preprocessor is being used. I'm singularly interested in the actual rule. Why won't it show me the message field in the actual rules?
[snort <http://www.snort.org/search/sid/120-3>] http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
in this example, the all CAPS /is/ the msg portion of the rule... however, preprocessors are slightly different in that the rules are written into the code of snort... kind of like the shared object rules... generally speaking, their msg contents cannot be changed like the text based rules that are used...
are you, perhaps, looking for the actual GID:SID of the rule? it us, that's more important than the msg text... 


--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: