I have the following rule meant to alert on MSN IMs. How would I adjust the rule so that non MSN traffic containing the string ‘MSG’ isn’t captured?
alert tcp $EXTERNAL_NET any → $HOME_NET any (content:“MSG”; sid:1585658;)
I’m not a rule writer, so if I wanted to get some idea on how to write that, I would have a look at the suricata.rules file, which contains the set of open rules by Emerging Threats, and see what they have for MSN it may be that they have what you want, or maybe there are enough use cases that you understand what would your custom rule need…
(In case you’re wondering, to find out where are the suricata rules in your local install, you may run suricata --dump-config, one of the last things listed is the default-rule-path. )