Alert formats
Let’s discuss the different alert formats. To do that, let’s take an example. We have a Snort signature, as follows:
alert http any any -> any any (msg:"Download HTML Rule"; flow:established,to_server; http_uri; content:"|2F|download|2E|html"; http_header; content:"Host|3A 20|www|2E|ethereal|2E|com"; content:"User|2D|Agent|3A 20|Mozilla",distance 0; sid:123459991;)
The signature is an HTTP signature that looks for /download.html in the HTTP URI, and Host: www.ethereal.com and User-Agent: Mozilla in the HTTP headers.
Note
Please note that the content rule option uses the | character to specify hexadecimal values. For example, |2D| would denote a - character.
The packet capture that we use for this exercise is given here (in tcpdump format). We note that all the criteria for the aforementioned Snort rule are satisfied by the HTTP request in the packet capture. Hence, we expect an alert from Snort:
