[Snort-users] Email alert

Jason Boyer jason at ...418...
Sun Apr 22 12:50:36 EDT 2001


This was previously posted. This was Max's Vision's Response.

<snip>
This is supported in Snort 1.8 - which you can download (BETA 3) at
whitehats.com, or directly from the CVS server at Sourceforge:
http://snort.sourceforge.net/snort-daily.tar.gz

If it is not feasible for you to upgrade, you can do this for Snort 1.7:

   cat vision.conf | sed 's/uricontent/content/g' > vision.conf

Max
</snip>


Subba Rao wrote:

> I have downloaded Max Vision rules and when I try to start snort using his
> rules, I get the following error:
>
> ERROR: /etc/snort-vision.conf (93) => Unknown keyword "uricontent" in rule!
>
> The rule is as follows:
>
> alert TCP $INTERNAL 80 -> $EXTERNAL any (msg: "IDS276/http-cgi-bugzilla-exploit"
> ; flags: A+; uricontent: "process_bug.cgi"; nocase; content: "blaat at ...1874...";
> nocase; reference:arachnids,276;)
>
> I have changed "uricontent" to "urlcontent" and that did not work. How do I
> verify the syntax of these rules?
>
> Another question is, how do I setup snort to send email alerts?
>
> TIA.
> --
>
> Subba Rao
> subba9 at ...530...
> http://members.home.net/subba9/
>
> GPG public key ID 27FC9217
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list