LinuxQuestions.org - Snort- ips

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - Snort- ips (https://www.linuxquestions.org/questions/linux-software-2/snort-ips-714064/)

priyadarshan

03-24-2009 08:55 AM

Snort- ips

I have made the simplest rule in local.rules as below:-

alert tcp any any -> any any (msg:"Japan Dave"; gid:1000001; sid:1000002; rev:1;)

I too get packets trapped in log files as I execute the command

sudo snort -i eth0 -c /etc/snort/snort.conf -l /etc/snort

But the only thing which annoy me is I cant find anything like "JAPAN DAVE", which is specified in option msg.......in log files...... :(

JulianTosh

03-25-2009 10:52 PM

you need a content match. the 'msg:"Japan Dave"' portion of your rule is just a description of the rule. Your current rule will fire on an tcp traffic.

Try this instead:

Code:

alert tcp any any -> any any (msg:"This is a test for text: Japan Dave"; content:"Japan Dave"; gid:1000001; sid:1000002; rev:1;)

All times are GMT -5. The time now is 01:32 AM.