william at cnsp.net
Fri Sep 22 18:26:44 EDT 2017
Yeah, I know, but it's much easier to manage if it lists things by the msg
in the rule.
So, for example this rule,
alert tcp $HOME_NET any -> [220.127.116.11,18.104.22.168] any (msg:"ET CNC
Ransomware Tracker Reported CnC Server TCP group 86"; flags:S;
I want it to say "ET CNC Ransomware Tracker Reported CnC Server TCP group
86" in BASE.
On Fri, Sep 22, 2017 at 3:25 PM, Jim Campbell <jim at w4bqp.net> wrote:
> If you hover your cursor over the [snort
> <http://www.snort.org/search/sid/120-3>] at the beginning of the Alert,
> you will see the GID-SID at the bottom of the page.
> On 9/22/2017 11:46 AM, William Pearson wrote:
> I'm using BASE, and the results snort is giving me is beyond vague. I
> presume this is an issue with the rules and preprocessing. I couldn't care
> less about what preprocessor is being used. I'm singularly interested in
> the actual rule. Why won't it show me the message field in the actual rules?
> [snort <http://www.snort.org/search/sid/120-3>] http_inspect: NO
> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
> Snort-users mailing listSnort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:https://lists.snort.org/mailman/listinfo/snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users