Home page logo

snort logo Snort mailing list archives

Re: How to extract part of “content ” and print in “msg” of a Snort Alert
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 15 Apr 2013 10:59:20 -0400

On Apr 15, 2013, at 9:06 AM, Heshan Perera <anthonyheshanperera () gmail com> wrote:

I am trying to write a Snort rule that will allow me to print the name of a file being downloaded via FTP.

The following is the rule I have so far...

alert tcp any any <> any any (content:"RETR:";msg:"A file is being downloaded.";sid:1000004;)
While this rule works, I can't figure out how to print the name of the file in the "msg" component of the alert. For 
example I would want the output of the alert to be something like...

"A file is being downloaded. The file name is foo.txt".

The file name is available in the content of the FTP traffic (RETR: /foo.txt)

I just cannot figure out how to extract that content and print it as a part of the message.

Any help on this would be highly appreciated.

This is not a feature that Snort currently supports in any version.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]