[Snort-sigs] What are the alert message capabilities

Matt Kettler mkettler at ...189...
Wed Jan 29 10:36:07 EST 2003

Hmm, I don't think there's any way for which port was matched to change the 
alert message itself, however the packet header decode output part of the 
alert will always indicate what port matched, so you could theoretically do 
some scripted post-processing to change the log format to suit you.

At 03:35 PM 1/28/2003 -0600, Sewell, Michael K wrote:

>I'm assuming that I'm just wishing for too much here, but is it possible to
>match on a range (ports, address list, etc) or wildcard and take the
>specific criteria in the matching packet and use it as part of the actual
>alert message? Example: match on a range of ports, say 1:50, and a packet
>comes along on port 21, which the alert message then indicates in its
>This SF.NET email is sponsored by:
>SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list