[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Question
From: wkitty42 () windstream ! net
Date: 2017-09-23 16:20:08
Message-ID: a6d1f546-34b8-4b9e-245a-f8e55ef77641 () windstream ! net
[Download RAW message or body]
On 09/22/2017 06:26 PM, William Pearson wrote:
> Jim,
>
> Yeah, I know, but it's much easier to manage if it lists things by the msg in
> the rule.
>
> So, for example this rule,
>
> alert tcp $HOME_NET any -> [31.214.157.227,31.41.44.130] any (msg:"ET CNC
> Ransomware Tracker Reported CnC Server TCP group 86"; flags:S;
> reference:url,doc.emergingthreats.net/bin/view/Main/BotCC
> <http://doc.emergingthreats.net/bin/view/Main/BotCC>; reference:url,$
>
> I want it to say "ET CNC Ransomware Tracker Reported CnC Server TCP group 86" in
> BASE.
that's what it should be doing... what are you seeing?
could it be that your sidmsg.map file is not up to date with the rules you have
loaded?
is it the existence of the "[snort]" link at the beginning that you don't like?
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list unless*
*a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic