[Snort-users] New snort rule lookup

John Hally JHally at ...5637...
Mon Mar 28 22:28:21 EST 2005


Thanks Frank,

At some point I'll probably look at hacking snortcenter2 to do it for me,
til then, grep it is.

Thanks!

-----Original Message-----
From: Frank Knobbe [mailto:frank at ...9761...] 
Sent: Monday, March 28, 2005 4:45 PM
To: John Hally
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] New snort rule lookup

On Mon, 2005-03-28 at 16:06 -0500, John Hally wrote:
> I noticed that the new rule lookup doesn't have the actual rule syntax
> included as it did before.  Was this planned?  I found that helped a
> LOT when trying to determine if the alert was malicious or not.

Heya John!

My guess would be that the web site is not able to distinguish between
the GPL rules and the VRT rules. Thus the web site does not display the
actual rules anymore. As you recall, you have to sign up for the VRT
rules.

That said, "grep 'sid:1234567' *.rules" works just as well. Just take a
look at the Snort rule themselves.

Cheers,
Frank





More information about the Snort-users mailing list