Menu
▾
▴
Re: [Packetfence-users] Regexps for Snort rules
|
From: Peter B. <p....@go...> - 2010-05-14 14:47:22
|
Hello all...
--On 13 May 2010 11:52 -0400 Olivier Bilodeau <obi...@in...> wrote:
> The week before last week, I was digging in the trigger generation code
> and noticed a feature I've never used. It would seem that you can do
> something like this:
> trigger=Detect::70020001-70023229
from conf/violations.conf:
[2010348]
desc=Zeus
priority=2
auto_enable=Y
url=/content/index.php?template=trojan
disable=N
trigger=Detect::2010348,Detect::70020001-7003240
actions=trap,email,log
>From packetfence.log:
May 14 15:11:34 pfdetect(0) INFO: alert received: 05/14-15:11:34.056359
[**] [1:7003230:0] Zeus [**] [Classification: Potential Corporate Privacy
Violation] [Priority: 1] {TCP} 10.170.169.40:49166 -> 216.8.179.23:80
(main::)
May 14 15:11:34 pfdetect(0) INFO: pfdetect: violation 7003230 [Zeus]:
00:1c:b3:c6:96:59 (main::)
It doesn't write anything to violation.log or actually trigger a violation
however.
Am I missing something?
--
Peter Bates, Network Support & Development Officer
Goldsmiths, University of London
New Cross, London SE14 6NW. Telephone: 020 7919 7082
|