[Snort-users] outputting variables for analysts

Long, Kerry S kslong at ...312...
Fri Jan 3 09:24:24 EST 2014


Hello,



I am trying to figure out the best way to accomplish this.  I want my analysts to see a variable I capture with byte extract in their alert display.  Ideally it could just be inserted into the message field like below. I could also use Unified2 alerts with an extra custom field maybe where I create some sort of plugin to grab the value and insert it into a Unified2 alert.  Trying to decide what is the easiest way to do it.



alert tcp any any -> any any (byte_extract:1, 0, str_offset; \

        byte_extract:1, 1, str_depth; \

       content:"bad stuff"; offset:str_offset; depth:str_depth; \

        msg:"Bad Stuff detected within field at $str_offset";)





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140103/4844f0f5/attachment.html>


More information about the Snort-users mailing list