[Snort-users] [Snort-user] dynamic variable for content match

Al Lewis (allewi) allewi at ...589...
Mon Jan 26 15:34:05 EST 2015


I think what you are saying is that you want to:

1)  type into a terminal
2)  have that word added to a rule
3) have snort alert based on that content in that rule

If so you are probably going to have to create something for this as it will need to get the input, write/save the rule and reload snort again each time. I am not aware of a way to do this "cleanly". 

Maybe someone else can chime in if they have had experience with that.

Sorry in advance if I misinterpreted what you were asking. 

Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...589... 


-----Original Message-----
From: zT [mailto:zzahra88 at ...11827...] 
Sent: Monday, January 26, 2015 3:16 PM
To: snort-users
Subject: [Snort-users] [Snort-user] dynamic variable for content match

hello All, i am new in snort. i want to get a keyword from ubunt terminal and search it in packet( content match). do this with static value is something like this:
alert tcp any any -> any any (msg:" your content found"; sid:100000; content:"something to find"; ) Any help is highly appreciated.

Thanks and Regards,

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list