Multi Flow Alert

[Curt Shaffer <cshaffer () gmail com>]

I need to write a rule that will alert if I see the following characteristics.

Client establishes port 80 traffic to IP address A. Immediately after
the response of that flow, the same client establishes an SSL session
443 to the same destination.

I know this has potential for false positives as redirection is pretty
common but if I can create a variable like MALWARE_C2C with a list of
known IPs that this shouldn't happen to or possibly KNOWN_RDIR hosts
to keep a simple whitelist rather than blacklist.

Is this possible with Snort to alert across multiple flows. If so can
someone point me to some documentation on the directives needed or
give a simple example?

Thanks

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs