Does anyone have any idea how to do this?
I've gone to Policies -> Intrusion -> Intrusion Rules and tried to import a text file with the following rule in.
alert tcp any any <> any any (flow: established; msg: "APT28 - CompuTrace_Beacon_UserAgent"; content: "|0d0a|TagId|3a| "; fast_pattern; content: "POST / "; content:!"namequery.com"; content:!"Host: 209.53.113."; content:!"dnssearch.org"; content:!"Cookie:"; content:!"fnbcorporate.co.za"; content:!"207.6.98."; pcre: "/Mozilla\/[0-9]{1,2}.[0-9]{1,2} \(compatible\; MSIE [0-9]{1,2}.[0-9]{1,2}\;\)\x0d\x0a/";)
I get an error of "Failed to install rule update"
The documentation Cisco provides for this is terrible. I assume I might be missing GID or SID feilds etc , but not really sure.
I did raise this with TAC, who were no help and insist they do not provide support for custom snort rules and redirected me to the above documentation. Not really helpful.
Cheers
No comments:
Post a Comment