[Snort-sigs] How to extract part of “content” and print in “msg” of a Snort Alert

Joel Esler jesler at ...435...
Mon Apr 15 10:59:20 EDT 2013


On Apr 15, 2013, at 9:06 AM, Heshan Perera <anthonyheshanperera at ...2420...> wrote:

> I am trying to write a Snort rule that will allow me to print the name of a file being downloaded via FTP.
> 
> The following is the rule I have so far...
> 
> alert tcp any any <> any any (content:"RETR:";msg:"A file is being downloaded.";sid:1000004;)
> While this rule works, I can't figure out how to print the name of the file in the "msg" component of the alert. For example I would want the output of the alert to be something like...
> 
> "A file is being downloaded. The file name is foo.txt".
> 
> The file name is available in the content of the FTP traffic (RETR: /foo.txt)
> 
> I just cannot figure out how to extract that content and print it as a part of the message.
> 
> Any help on this would be highly appreciated.
> 
This is not a feature that Snort currently supports in any version.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130415/7b4cf24f/attachment.html>


More information about the Snort-sigs mailing list