[Snort-users] Using a var in the conf and local rules

JJ Cummings cummingsj at ...11827...
Mon Feb 25 15:59:01 EST 2013


Can still be, and should be, done with blacklisting

Sent from the iRoad

On Feb 25, 2013, at 12:39, Stephen Mintz <greybard at ...15978...> wrote:

> Actually about it, I don't want to blacklist the sites, just get an alert when they are attempted. 
> 
> So back to a conf var. 
> 
> 
> 
> "Lay, James" <james.lay at ...15009...> wrote:
>> 
>> From: Stephen Mintz [mailto:greybard at ...15978...] 
>> Sent: Monday, February 25, 2013 1:15 PM
>> To: Lay, James
>> Subject: Re: [Snort-users] Using a var in the conf and local rules
>> 
>> 
>> 
>> Hey James, 
>> 
>> Thanks for the reply! 
>> Not sure either, never done that. 
>> I am open for trying anything so I will check into it. 
>> If anyone has any advice please reply? 
>> 
>> 
>> 
>> 
>> "Lay, James" <james.lay at ...15009...> wrote:
>> 
>> From: honeybadger at ...15978... [mailto:honeybadger at ...15978...] 
>> Sent: Monday, February 25, 2013 10:51 AM
>> To: Snort-users at lists.sourceforge.net
>> Subject: [Snort-users] Using a var in the conf and local rules
>> 
>> 
>> 
>> Hey all, 
>> 
>> I am adding scanners for 600+ suspect IPs in a text file. 
>> Ok adding in include snort.var 
>> Adding var IP_RULES
>> Then tcp any any - >
>> $IP_RULES any (msg:"suspect IP detected; sid 4525;) 
>> I would like if the alert would tell me which IP it found. 
>> Usually I would use a content but this is different. 
>> Any know how to set this up? 
>> 
>> Thanks, 
> 
> -- 
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130225/e9546a25/attachment.html>


More information about the Snort-users mailing list