[Snort-users] Using a var in the conf and local rules

Stephen Mintz greybard at ...15978...
Mon Feb 25 15:39:12 EST 2013


Actually about it, I don't want to blacklist the sites, just get an alert when they are attempted. 

So back to a conf var. 



"Lay, James" <james.lay at ...15009...> wrote:

>From: Stephen Mintz [mailto:greybard at ...15978...] 
>Sent: Monday, February 25, 2013 1:15 PM
>To: Lay, James
>Subject: Re: [Snort-users] Using a var in the conf and local rules
>
> 
>
>Hey James, 
>
>Thanks for the reply! 
>Not sure either, never done that. 
>I am open for trying anything so I will check into it. 
>If anyone has any advice please reply? 
>
>
>
>
>"Lay, James" <james.lay at ...15009...> wrote:
>
>From: honeybadger at ...15978... [mailto:honeybadger at ...15978...] 
>Sent: Monday, February 25, 2013 10:51 AM
>To: Snort-users at lists.sourceforge.net
>Subject: [Snort-users] Using a var in the conf and local rules
>
> 
>
>Hey all, 
>
>I am adding scanners for 600+ suspect IPs in a text file. 
>Ok adding in include snort.var 
>Adding var IP_RULES
>Then tcp any any - > $IP_RULES any (msg:"suspect IP detected; sid
>4525;) 
>I would like if the alert would tell me which IP it found. 
>Usually I would use a content but this is different. 
>Any know how to set this up? 
>
>Thanks, 
>
>
>-- 
>Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>
>
>
>------------------------------------------------------------------------
>
>------------------------------------------------------------------------------
>Everyone hates slow websites. So do we.
>Make your web apps faster with AppDynamics
>Download AppDynamics Lite for free today:
>http://p.sf.net/sfu/appdyn_d2d_feb
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest
>Snort news!

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130225/dd5986d9/attachment.html>


More information about the Snort-users mailing list