Snort mailing list archives
Alert on logical detection
From: Laurent Juin <ljuin () gerpi fr>
Date: Wed, 30 Oct 2002 08:58:49 +0100
Hello, I would like to alert only when snort sees a HTTP paquet from a host AND does NOT see an other HTTP packet from the same host within the next 15 seconds. How do you write this logical match with snort rules ? I think about the following : First solution : I can do it with the tag option to log all the packet from the source host during the 15 seconds. var MY_NET 192.168.1.0/24 var MY_CGI_SERVER 192.168.1.1 var MY_IMAGE_SERVER 192.168.1.2 var HTTP 80 alert tcp !$MY_NET any -> $MY_CGI_SERVER $HTPP (content:"GET"; content:".cgi"; tag: host, 15, seconds, src; msg:"Get CGI") And I will do post analysis from the log to see if the source host does or not request a GET to $MY_IMAGE_SERVER. But the growing traffic will overflow the logging and analysis process. Second solution : log tcp !$MY_NET any -> $MY_CGI_SERVER $HTPP (content:"GET"; content:".cgi"; msg:"Get CGI"; log: host-get-cgi.file) log tcp !$MY_NET any -> $MY_IMAGE_SERVER $HTPP (content:"GET"; content:".jpg"; msg:"Get JPEG"; log: host-get-image.file) And I will do diff host-get-cgi.file host-get-image.file to get the host that did NOT requet the $MY_IMAGE_SERVER. But I cannot react with in 15 seconds. Third solution : Can you write an other solution ? Laurent ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert on logical detection Laurent Juin (Oct 30)