Date: Fri, 31 Aug 2001 16:05:09 -0400

We setup syslog for snort. One rule dumps to a log file and I would like

another rule to trigger an email based on the message contents (using the

substring). Below is an text example of the alarm:

A syslog message has been received.

Source Host: JAXBLACKBOX

Facility: AUTH/SEC

Priority: ALERT

Text of syslog message:

snort[1144]: [1:0:0] IDS298/web-misc_http-directory-traversal2

[Classification: system integrity attempt] [Priority: 11]: {TCP}

xxx.xxx.xxx.xxx:1275 -> xxx.xxx.xxx.xxx:80

Is there a way that I can enter multiple substrings? I was thinking along

the lines of using the signature ID...

If I could add a substring in like "IDS298" or "IDS344" or "IDS345" etc

etc...

The priorty levels do not seem to work correctly within snort. The text

contains different levels however when I pull the priority it is set at

ALERT...so there isn't a way to break messages up via priority...

Thanks

Tony

Date: Sat, 1 Sep 2001 17:34:53 +0200

Hi Anthony,

> Is there a way that I can enter multiple substrings? I was thinking along

> the lines of using the signature ID...

>

> If I could add a substring in like "IDS298" or "IDS344" or "IDS345" etc

> etc...

because multiple substrings (separated by a ; ) are ANDed, not ORed, you

could either create a distinct rule for each substring (one rule for

"IDS298", another for "IDS344", etc.) or you could also achieve your desired

goal by using only one rule where you specify the substrings as part of a

regular expression:

The regular expression which would match "IDS298" OR "IDS344" OR "IDS345"

looks like:

IDS298|IDS344|IDS345

You must also select the 'Regular Expression' checkbox.

Franz