Date parsed: 8/31/2001 11:05:09 AM
Date: Fri, 31 Aug 2001 16:05:09 -0400

We setup syslog for snort. One rule dumps to a log file and I would like
another rule to trigger an email based on the message contents (using the
substring). Below is an text example of the alarm:

A syslog message has been received.
Source Host: JAXBLACKBOX
Facility: AUTH/SEC
Priority: ALERT

Text of syslog message:
snort[1144]: [1:0:0] IDS298/web-misc_http-directory-traversal2
[Classification: system integrity attempt] [Priority: 11]: {TCP}
xxx.xxx.xxx.xxx:1275 -> xxx.xxx.xxx.xxx:80

Is there a way that I can enter multiple substrings? I was thinking along
the lines of using the signature ID...

If I could add a substring in like "IDS298" or "IDS344" or "IDS345" etc
etc...

The priorty levels do not seem to work correctly within snort. The text
contains different levels however when I pull the priority it is set at
ALERT...so there isn't a way to break messages up via priority...

Thanks
Tony

Date parsed: 9/1/2001 6:34:53 PM
Date: Sat, 1 Sep 2001 17:34:53 +0200

Hi Anthony,

> Is there a way that I can enter multiple substrings? I was thinking along
> the lines of using the signature ID...
>
> If I could add a substring in like "IDS298" or "IDS344" or "IDS345" etc
> etc...

because multiple substrings (separated by a ; ) are ANDed, not ORed, you
could either create a distinct rule for each substring (one rule for
"IDS298", another for "IDS344", etc.) or you could also achieve your desired
goal by using only one rule where you specify the substrings as part of a
regular expression:

The regular expression which would match "IDS298" OR "IDS344" OR "IDS345"
looks like:

IDS298|IDS344|IDS345

You must also select the 'Regular Expression' checkbox.

Franz