[Snort-devel] outputting variables for analysts
Long, Kerry S
kslong at ...227...
Fri Jan 3 12:51:28 EST 2014
Hello, I originally sent this to the users group. It is probably more appropriate for this group.
I am trying to figure out the best way to accomplish the following task. I want my analysts to see a variable I capture with byte extract in their alert display. Ideally it could just be inserted into the message field like below. I could also use Unified2 alerts with an extra custom field maybe where I create some sort of plugin to grab the value and insert it into a Unified2 alert. Trying to decide what is the easiest way to do it. Suggestions would be most appreciated.
alert tcp any any -> any any (byte_extract:1, 0, str_offset; \
byte_extract:1, 1, str_depth; \
content:"bad stuff"; offset:str_offset; depth:str_depth; \
msg:"Bad Stuff detected within field at $str_offset";)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel