[Snort-users] outputting variables for analysts
Long, Kerry S
kslong at ...312...
Fri Jan 3 09:24:24 EST 2014
I am trying to figure out the best way to accomplish this. I want my analysts to see a variable I capture with byte extract in their alert display. Ideally it could just be inserted into the message field like below. I could also use Unified2 alerts with an extra custom field maybe where I create some sort of plugin to grab the value and insert it into a Unified2 alert. Trying to decide what is the easiest way to do it.
alert tcp any any -> any any (byte_extract:1, 0, str_offset; \
byte_extract:1, 1, str_depth; \
content:"bad stuff"; offset:str_offset; depth:str_depth; \
msg:"Bad Stuff detected within field at $str_offset";)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users