Re: How to extract part of “content” and print in “msg” of a Snort Alert

[Joel Esler <jesler () sourcefire com>]

On Apr 15, 2013, at 9:06 AM, Heshan Perera <anthonyheshanperera () gmail com> wrote:

> I am trying to write a Snort rule that will allow me to print the name of a file being downloaded via FTP.
>
> The following is the rule I have so far...
>
> alert tcp any any <> any any (content:"RETR:";msg:"A file is being downloaded.";sid:1000004;)
> While this rule works, I can't figure out how to print the name of the file in the "msg" component of the alert. For 
> example I would want the output of the alert to be something like...
>
> "A file is being downloaded. The file name is foo.txt".
>
> The file name is available in the content of the FTP traffic (RETR: /foo.txt)
>
> I just cannot figure out how to extract that content and print it as a part of the message.
>
> Any help on this would be highly appreciated.
This is not a feature that Snort currently supports in any version.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!