[Snort-sigs] Create a rule that takes its content from a file.

Joel Esler jesler at ...435...
Tue May 14 12:40:37 EDT 2013


I am not sure what you mean by "takes it's content from a file"

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On May 14, 2013, at 9:07 AM, arneu sneu <arneu99 at ...12...> wrote:

> Hi,
> 
> I just installed Snort a few days ago and started to play with it by writing my own rules.
> I would like my rule to take its content from a file, but I haven't find any information on this topic, neither in the manual, nor on the Internet. I found that the content-list keyword once existed in Snort, but it has apparently been removed about 6 years ago. Too bad, because it was exactly what I was looking for.
> Would anybody have an idea on how to do such a thing with current snort features? I could write a rule for each of the lines of my file or use pcre with the list of possible values, but I was wondering if there was a way to do it with a rule taking its content from a file. If not, what is the correct approach to do this?
> 
> As an example, if I have a file containing a whitelist of file extensions, I would like to raise an alert when an email attachment having an extension that is not in the list is seen in the network traffic.
> 
> Many thanks for your help.
> 
> Cheers
> 
> Arneu
> 
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130514/536758af/attachment.html>


More information about the Snort-sigs mailing list