Snort mailing list archives
Re: Question
From: William Pearson <william () cnsp net>
Date: Fri, 22 Sep 2017 16:26:44 -0600
Jim, Yeah, I know, but it's much easier to manage if it lists things by the msg in the rule. So, for example this rule, alert tcp $HOME_NET any -> [31.214.157.227,31.41.44.130] any (msg:"ET CNC Ransomware Tracker Reported CnC Server TCP group 86"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,$ I want it to say "ET CNC Ransomware Tracker Reported CnC Server TCP group 86" in BASE. Will On Fri, Sep 22, 2017 at 3:25 PM, Jim Campbell <jim () w4bqp net> wrote:
Will, If you hover your cursor over the [snort <http://www.snort.org/search/sid/120-3>] at the beginning of the Alert, you will see the GID-SID at the bottom of the page. Jim On 9/22/2017 11:46 AM, William Pearson wrote: I'm using BASE, and the results snort is giving me is beyond vague. I presume this is an issue with the rules and preprocessing. I couldn't care less about what preprocessor is being used. I'm singularly interested in the actual rule. Why won't it show me the message field in the actual rules? [snort <http://www.snort.org/search/sid/120-3>] http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE Will _______________________________________________ Snort-users mailing listSnort-users () lists snort org Go to this URL to change user options or unsubscribe:https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Question William Pearson (Sep 22)
- Re: Question wkitty42 (Sep 22)
- Re: Question Jim Campbell (Sep 22)
- Re: Question William Pearson (Sep 22)
- Re: Question wkitty42 (Sep 23)
- Re: Question William Pearson (Sep 22)