[Snort-users] Question

wkitty42 at windstream.net wkitty42 at windstream.net
Sat Sep 23 12:20:08 EDT 2017


On 09/22/2017 06:26 PM, William Pearson wrote:
> Jim,
> 
> Yeah, I know, but it's much easier to manage if it lists things by the msg in 
> the rule.
> 
> So, for example this rule,
> 
> alert tcp $HOME_NET any -> [31.214.157.227,31.41.44.130] any (msg:"ET CNC 
> Ransomware Tracker Reported CnC Server TCP group 86"; flags:S; 
> reference:url,doc.emergingthreats.net/bin/view/Main/BotCC 
> <http://doc.emergingthreats.net/bin/view/Main/BotCC>; reference:url,$
> 
> I want it to say "ET CNC Ransomware Tracker Reported CnC Server TCP group 86" in 
> BASE.


that's what it should be doing... what are you seeing?

could it be that your sidmsg.map file is not up to date with the rules you have 
loaded?

is it the existence of the "[snort]" link at the beginning that you don't like?


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*



More information about the Snort-users mailing list