[Snort-users] Question

wkitty42 at windstream.net wkitty42 at windstream.net
Fri Sep 22 12:47:53 EDT 2017

On 09/22/2017 11:46 AM, William Pearson wrote:
> I'm using BASE, and the results snort is giving me is beyond vague. I presume 
> this is an issue with the rules and preprocessing. I couldn't care less about 
> what preprocessor is being used. I'm singularly interested in the actual rule. 
> Why won't it show me the message field in the actual rules?
> [snort <http://www.snort.org/search/sid/120-3>] http_inspect: NO CONTENT-LENGTH 

in this example, the all CAPS /is/ the msg portion of the rule... however, 
preprocessors are slightly different in that the rules are written into the code 
of snort... kind of like the shared object rules... generally speaking, their 
msg contents cannot be changed like the text based rules that are used...

are you, perhaps, looking for the actual GID:SID of the rule? it us, that's more 
important than the msg text...

  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*

More information about the Snort-users mailing list