[Snort-sigs] Fwd: Create a rule that takes its content from a file.

Tony Robinson deusexmachina667 at ...2420...
Tue May 14 10:29:45 EDT 2013


Forwarding to mailing list.

---------- Forwarded message ----------
From: Tony Robinson <deusexmachina667 at ...2420...>
Date: Tue, May 14, 2013 at 10:29 AM
Subject: Re: [Snort-sigs] Create a rule that takes its content from a file.
To: arneu sneu <arneu99 at ...12...>


Hm...

You may want to look at the file-identify.rules category. This seems to be
right up your alley.

http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html


On Tue, May 14, 2013 at 10:07 AM, arneu sneu <arneu99 at ...12...> wrote:

> Hi,
>
> I just installed Snort a few days ago and started to play with it by
> writing my own rules.
> I would like my rule to take its content from a file, but I haven't find
> any information on this topic, neither in the manual, nor on the Internet.
> I found that the content-list keyword once existed in Snort, but it has
> apparently been removed about 6 years ago. Too bad, because it was exactly
> what I was looking for.
> Would anybody have an idea on how to do such a thing with current snort
> features? I could write a rule for each of the lines of my file or use pcre
> with the list of possible values, but I was wondering if there was a way to
> do it with a rule taking its content from a file. If not, what is the
> correct approach to do this?
>
> As an example, if I have a file containing a whitelist of file extensions,
> I would like to raise an alert when an email attachment having an extension
> that is not in the list is seen in the network traffic.
>
> Many thanks for your help.
>
> Cheers
>
> Arneu
>
>
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
when does reality end? when does fantasy begin?



-- 
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130514/4c6ddc1d/attachment.html>


More information about the Snort-sigs mailing list