[Snort-devel] outputting variables for analysts

Joel Esler (jesler) jesler at ...3461...
Wed Jan 8 09:40:33 EST 2014

On Jan 3, 2014, at 12:51 PM, Long, Kerry S <kslong at ...227...<mailto:kslong at ...227...>> wrote:

Hello, I originally sent this to the users group.  It is probably more appropriate for this group.

I am trying to figure out the best way to accomplish the following task.  I want my analysts to see a variable I capture with byte extract in their alert display.  Ideally it could just be inserted into the message field like below. I could also use Unified2 alerts with an extra custom field maybe where I create some sort of plugin to grab the value and insert it into a Unified2 alert.  Trying to decide what is the easiest way to do it. Suggestions would be most appreciated.


alert tcp any any -> any any (byte_extract:1, 0, str_offset; \
        byte_extract:1, 1, str_depth; \
       content:"bad stuff"; offset:str_offset; depth:str_depth; \
        msg:"Bad Stuff detected within field at $str_offset";)

Currently there is no way to modify the message based upon a capture.

Joel Esler
Intelligence Lead
Open Source Manager
Vulnerability Research Team
New Email: jesler at ...3461...<mailto:jesler at ...3461...>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140108/0e4c8223/attachment.html>

More information about the Snort-devel mailing list