[Snort-sigs] How to extract part of “content” and print in “msg” of a Snort Alert
Jason_Haar at ...3686...
Thu Apr 18 00:21:38 EDT 2013
On 16/04/13 02:59, Joel Esler wrote:
> This is not a feature that Snort /currently/ supports in any version.
I'm glad to see the emphasis there Joel ;-)
FYI I implemented it here by getting our alerting script to call the
BASE interface (damned if I was going to figure out the SQL-foo to do
this!) to get the TEXT output from the pcap - and then fiddle that new
data into the alert
You don't need to tell me how horrendous that is - but it works ;-)
Please feel free to save me from going to coders-hell by doing it
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-sigs