[Snort-users] [Snort-user] dynamic variable for content match

zT zzahra88 at ...11827...
Mon Jan 26 15:42:23 EST 2015


tnx for your suggest but i don't want to do in this way. tnx any way :)

On 1/27/15, Al Lewis (allewi) <allewi at ...589...> wrote:
> I think what you are saying is that you want to:
>
> 1)  type into a terminal
> 2)  have that word added to a rule
> 3) have snort alert based on that content in that rule
>
> If so you are probably going to have to create something for this as it will
> need to get the input, write/save the rule and reload snort again each time.
> I am not aware of a way to do this "cleanly".
>
> Maybe someone else can chime in if they have had experience with that.
>
> Sorry in advance if I misinterpreted what you were asking.
>
> Hope this helps.
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi at ...589...
>
>
> -----Original Message-----
> From: zT [mailto:zzahra88 at ...11827...]
> Sent: Monday, January 26, 2015 3:16 PM
> To: snort-users
> Subject: [Snort-users] [Snort-user] dynamic variable for content match
>
> hello All, i am new in snort. i want to get a keyword from ubunt terminal
> and search it in packet( content match). do this with static value is
> something like this:
> alert tcp any any -> any any (msg:" your content found"; sid:100000;
> content:"something to find"; ) Any help is highly appreciated.
>
> Thanks and Regards,
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>




More information about the Snort-users mailing list