I want to check a keyword with packet content in snort but not a static word.
I want it be dynamic for example get this keyword form terminal in ubuntu.
alert tcp any any -> any any (msg:" your content found"; sid:100000; content:"something to find"; )
That codes are used for static value.
Share your ideas please.
Thanks.
I think the only way to accomplish something like this would be to use a shared object rule. I do not believe there is any way to do it otherwise. Shared object rules are one of the more difficult things to implement in snort rules but it would certainly be possible to do something like this with it. I recommend reading this blog post about how to use shared object rules.