Home page logo
/

snort logo Snort mailing list archives

Re: sid in .rules
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 11 May 2013 12:29:30 -0400



oops! i hit the wrong button before i completed my post :/

On 5/11/2013 11:24, JJ Cummings wrote:
grep 'sid:1324' /path/to/rules/*

this works for those rules without a space or tab between the ':' and the SID ;)

it will also find sid 1324xxxx...

my comment above about the space or tab is based on previous rules that were 
distributed as "sid: xxxx;" which is perfectly acceptable to snort... the 
problem was inconsistency for easy greps which is why i decided to use

   "sid:\W*xxxx;"

that way we get the rule(s) with or without the space as well as terminating the 
entry with the semicolon so we only get those with the sought after SID ;)

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault