Re: [Snort-users] help with rules - data capturing

From: Joel Esler <joel.esler_at_nospam>
Date: Sat Dec 22 2007 - 02:29:12 GMT
To: Timothy Ding <iolabs@gmail.com>

Rule of thumb. Regardless of the problem you are having, always update to current version (2.8.0.1) before asking for help. That is usually the first troubleshooting step. -- Joel Esler joel.esler@sourcefire.com On Dec 21, 2007, at 8:01 PM, Timothy Ding wrote:
> many thanks for the reply Paul, i still don't get any results from
> the rule, could it possibly be the version of snort (ver 2.3.3) that
> i am using?
>
> Regards,
> Tim
>
> I think it should work pretty much as-is, but here is how I would
> write the rule:
>
> alert tcp any any -> $HOME_NET 13001 (msg: "GPRMC found in packet"; \
> flow:to_server,established; content:"|24|GPRMC"; nocase; sid:9999000;)
>
> Use the flow: directive to only analyze packets that are in-state for
> the connection described. I also hexified the $ in $GPRMC just to be
> safe. That way it doesn't get treated like a variable by anything
> that parses that rule. And then use some non-published sid value so
> that if you're using BASE, SGUIL, or something else that lets you
> search/sort by sid values, you can access it.
>
> PaulM
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message: [ Message body ]
Next message: Joel Esler: "Re: [Snort-users] [ASK] Silent Interface??"
Previous message: Rachmat Hidayat Al-Anshar: "Re: [Snort-users] [ASK] Silent Interface??"
In reply to: Timothy Ding: "Re: [Snort-users] help with rules - data capturing"
Next in thread: Paul Melson: "Re: [Snort-users] help with rules - data capturing"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]