Snort mailing list archives

Re: [Snort-user] dynamic variable for content match

From: zT <zzahra88 () gmail com>
Date: Tue, 27 Jan 2015 00:12:23 +0330

tnx for your suggest but i don't want to do in this way. tnx any way :)

On 1/27/15, Al Lewis (allewi) <allewi () cisco com> wrote:

I think what you are saying is that you want to:

1)  type into a terminal
2)  have that word added to a rule
3) have snort alert based on that content in that rule

If so you are probably going to have to create something for this as it will
need to get the input, write/save the rule and reload snort again each time.
I am not aware of a way to do this "cleanly".

Maybe someone else can chime in if they have had experience with that.

Sorry in advance if I misinterpreted what you were asking.

Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com


-----Original Message-----
From: zT [mailto:zzahra88 () gmail com]
Sent: Monday, January 26, 2015 3:16 PM
To: snort-users
Subject: [Snort-users] [Snort-user] dynamic variable for content match

hello All, i am new in snort. i want to get a keyword from ubunt terminal
and search it in packet( content match). do this with static value is
something like this:
alert tcp any any -> any any (msg:" your content found"; sid:100000;
content:"something to find"; ) Any help is highly appreciated.

Thanks and Regards,

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!


------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

[Snort-user] dynamic variable for content match zT (Jan 26)
- Re: [Snort-user] dynamic variable for content match Al Lewis (allewi) (Jan 26)
  - Re: [Snort-user] dynamic variable for content match zT (Jan 26)
    - Re: [Snort-user] dynamic variable for content match waldo kitty (Jan 27)
    - Re: [Snort-user] dynamic variable for content match zT (Jan 27)
    - Re: [Snort-user] dynamic variable for content match waldo kitty (Jan 28)
    - Re: [Snort-user] dynamic variable for content match zT (Jan 28)
    - Re: [Snort-user] dynamic variable for content match Al Lewis (allewi) (Jan 29)
    - Re: [Snort-user] dynamic variable for content match zT (Jan 29)