[Snort-users] Feature Request: regex matching available as $n strings for msg:?

Jason Haar Jason.Haar at ...294...
Sun Jun 22 18:56:03 EDT 2003

Says it all really. I know the regex support isn't live yet, but...

There are quite a few rules where it would be most useful if you could
actually "see" some of the data that triggered the alert. e.g. if you wanted
to log the username of all attempted FTP logins, you could do something

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 \
(msg:"Attempted FTP login by $1"; \
flow:to_server,established; \
regex:"USER ([^\s]+)";)

For realtime alerting in the current implementation, post-processing such
information is really next to impossible as you either have to interact with
the SQL database, or with raw tcpdump logs...


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list