Snort mailing list archives
Re: help with rules - data capturing
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 21 Dec 2007 17:01:40 -0500
On Dec 21, 2007 3:20 PM, Timothy Ding <iolabs () gmail com> wrote:
dear list, i need some pointer in writing a rule to capture data with keyword $GPRMC coming from port 13001 into snort database. is this possible with snort? would appreciate any advice. alert tcp any any -> $HOME_NET 13001 (content: "$GPRMC"; \ msg: "display some message" ;)
I think it should work pretty much as-is, but here is how I would write the rule: alert tcp any any -> $HOME_NET 13001 (msg: "GPRMC found in packet"; \ flow:to_server,established; content:"|24|GPRMC"; nocase; sid:9999000;) Use the flow: directive to only analyze packets that are in-state for the connection described. I also hexified the $ in $GPRMC just to be safe. That way it doesn't get treated like a variable by anything that parses that rule. And then use some non-published sid value so that if you're using BASE, SGUIL, or something else that lets you search/sort by sid values, you can access it. PaulM ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- help with rules - data capturing Timothy Ding (Dec 21)
- Re: help with rules - data capturing Paul Melson (Dec 21)
- Re: help with rules - data capturing Timothy Ding (Dec 21)
- Re: help with rules - data capturing Joel Esler (Dec 21)
- Re: help with rules - data capturing Paul Melson (Dec 23)
- Re: help with rules - data capturing Timothy Ding (Dec 26)
- Re: help with rules - data capturing Will Metcalf (Dec 26)
- Re: help with rules - data capturing Timothy Ding (Dec 21)
- Re: help with rules - data capturing Paul Melson (Dec 21)