[Snort-devel] outputting variables for analysts
Joel Esler (jesler)
jesler at ...3461...
Wed Jan 8 09:40:33 EST 2014
On Jan 3, 2014, at 12:51 PM, Long, Kerry S <kslong at ...227...<mailto:kslong at ...227...>> wrote:
Hello, I originally sent this to the users group. It is probably more appropriate for this group.
I am trying to figure out the best way to accomplish the following task. I want my analysts to see a variable I capture with byte extract in their alert display. Ideally it could just be inserted into the message field like below. I could also use Unified2 alerts with an extra custom field maybe where I create some sort of plugin to grab the value and insert it into a Unified2 alert. Trying to decide what is the easiest way to do it. Suggestions would be most appreciated.
alert tcp any any -> any any (byte_extract:1, 0, str_offset; \
byte_extract:1, 1, str_depth; \
content:"bad stuff"; offset:str_offset; depth:str_depth; \
msg:"Bad Stuff detected within field at $str_offset";)
Currently there is no way to modify the message based upon a capture.
Open Source Manager
Vulnerability Research Team
New Email: jesler at ...3461...<mailto:jesler at ...3461...>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel