[Snort-sigs] How to extract part of “content” and print in “msg” of a Snort Alert
jesler at ...435...
Mon Apr 15 10:59:20 EDT 2013
On Apr 15, 2013, at 9:06 AM, Heshan Perera <anthonyheshanperera at ...2420...> wrote:
> I am trying to write a Snort rule that will allow me to print the name of a file being downloaded via FTP.
> The following is the rule I have so far...
> alert tcp any any <> any any (content:"RETR:";msg:"A file is being downloaded.";sid:1000004;)
> While this rule works, I can't figure out how to print the name of the file in the "msg" component of the alert. For example I would want the output of the alert to be something like...
> "A file is being downloaded. The file name is foo.txt".
> The file name is available in the content of the FTP traffic (RETR: /foo.txt)
> I just cannot figure out how to extract that content and print it as a part of the message.
> Any help on this would be highly appreciated.
This is not a feature that Snort currently supports in any version.
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs