[Snort-users] Question

William Pearson william at cnsp.net
Fri Sep 22 18:26:44 EDT 2017


Jim,

Yeah, I know, but it's much easier to manage if it lists things by the msg
in the rule.

So, for example this rule,

alert tcp $HOME_NET any -> [31.214.157.227,31.41.44.130] any (msg:"ET CNC
Ransomware Tracker Reported CnC Server TCP group 86"; flags:S;
reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,$

I want it to say "ET CNC Ransomware Tracker Reported CnC Server TCP group
86" in BASE.

Will


On Fri, Sep 22, 2017 at 3:25 PM, Jim Campbell <jim at w4bqp.net> wrote:

> Will,
>
> If you hover your cursor over the [snort
> <http://www.snort.org/search/sid/120-3>] at the beginning of the Alert,
> you will see the GID-SID at the bottom of the page.
>
> Jim
>
> On 9/22/2017 11:46 AM, William Pearson wrote:
>
> I'm using BASE, and the results snort is giving me is beyond vague. I
> presume this is an issue with the rules and preprocessing. I couldn't care
> less about what preprocessor is being used. I'm singularly interested in
> the actual rule. Why won't it show me the message field in the actual rules?
>
> [snort <http://www.snort.org/search/sid/120-3>] http_inspect: NO
> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
>
>
> Will
>
>
>
>
>
> _______________________________________________
> Snort-users mailing listSnort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170922/fd138d55/attachment.html>


More information about the Snort-users mailing list