[Snort-sigs] How to extract part of “content” and print in “msg” of a Snort Alert
anthonyheshanperera at ...2420...
Mon Apr 15 09:06:10 EDT 2013
I am trying to write a Snort rule that will allow me to print the name of a
file being downloaded via FTP.
The following is the rule I have so far...
alert tcp any any <> any any (content:"RETR:";msg:"A file is being
While this rule works, I can't figure out how to print the name of the file
in the "msg" component of the alert. For example I would want the output of
the alert to be something like...
*"A file is being downloaded. The file name is foo.txt".*
The file name is available in the content of the FTP traffic (RETR: /foo.txt
I just cannot figure out how to extract that content and print it as a part
of the message.
Any help on this would be highly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs