Rule lookups - Snorby/snorby GitHub Wiki

From Snorby:

Lookup sources are available within the event show view via the source & destination address menus. A following are allowed URL variables: ${ip} and ${port}. Example: http://www.example.com/lookup?address=${ip}

Snort rules:

https://www.snort.org/search?query=$$sid$$

For the VRT ruleset, set Lookup source url to:

http://rootedyour.com/snortsid?sid=$$sid$$

For the Emerging Threats (ET) ruleset, set Lookup source url to:

http://doc.emergingthreats.net/bin/view/Main/$$sid$$

Back to Snorby E-Book