Re: possible to tailor the SDF combination alert message, or override with custom rule?

["Al Lewis (allewi)" <allewi () cisco com>]

Hello Sean,

When you get the combo sdf alert (GID:139) you should get the more specific alerts (GID:138) as well (if you have the 
SDF rules included from the “sensitive-data.rules” file). Have you included the more specific rules?

You can create your own local rules for sensitive data.  See the “README.sensitive_data” file which is also listed here 
http://manual.snort.org/node163.html



Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Sean [mailto:sean.barmettler () gmail com]
Sent: Monday, June 15, 2015 1:21 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] possible to tailor the SDF combination alert message, or override with custom rule?

Preemptive apologies if this is answered elsewhere, as I didnt find it.

Simple enough questions:
* is it possible to tailor the equivalence of the "msg" portion of SDF output matches?  IE:
SDF Combination Alert [**] [Classification: Senstive Data]should ideally be "alert: credit card transaction in clear 
text" or something more specific

* is it possible to override the SDF engine with a local rule?  thus far i've been unsuccessful with that using PCRE, 
exact match, content, etc.

thanks in advance.

Sean

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!