[Snort-sigs] Create a rule that takes its content from a file.

arneu sneu arneu99 at ...12...
Tue May 14 10:07:19 EDT 2013


I just installed Snort a few days ago and started to play with it by writing my own rules.
I would like my rule to take its content from a file, but I haven't find any information on this topic, neither in the manual, nor on the Internet. I found that the content-list keyword once existed in Snort, but it has apparently been removed about 6 years ago. Too bad, because it was exactly what I was looking for.
Would anybody have an idea on how to do such a thing with current snort features? I could write a rule for each of the lines of my file or use pcre with the list of possible values, but I was wondering if there was a way to do it with a rule taking its content from a file. If not, what is the correct approach to do this?

As an example, if I have a file containing a whitelist of file extensions, I would like to raise an alert when an email attachment having an extension that is not in the list is seen in the network traffic.

Many thanks for your help.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130514/47f207c9/attachment.html>

More information about the Snort-sigs mailing list