[Snort-sigs] How to extract part of “content” and print in “msg” of a Snort Alert

Heshan Perera anthonyheshanperera at ...2420...
Mon Apr 15 09:06:10 EDT 2013


I am trying to write a Snort rule that will allow me to print the name of a
file being downloaded via FTP.

The following is the rule I have so far...

alert tcp any any <> any any (content:"RETR:";msg:"A file is being
downloaded.";sid:1000004;)

While this rule works, I can't figure out how to print the name of the file
in the "msg" component of the alert. For example I would want the output of
the alert to be something like...

*"A file is being downloaded. The file name is foo.txt".*

The file name is available in the content of the FTP traffic (RETR: /foo.txt
)

I just cannot figure out how to extract that content and print it as a part
of the message.

Any help on this would be highly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130415/34df5616/attachment.html>


More information about the Snort-sigs mailing list