Snort mailing list archives
Re: Snort Return/Response packets
From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 28 Dec 2011 08:07:17 -0500
That's what flowbits are for. See here: http://manual.snort.org/node32.html#SECTION004610000000000000000 On Wed, Dec 28, 2011 at 6:33 AM, Thibault SOC <thibaultsoc () gmail com> wrote:
Hi, I would like to know if snort can handle the response packets from an attack? As exemple for a web attack : If a "XSS attempt" rule match, i want to get another snort alarm based on HTTP response code like "200 OK", "403 Forbidden", "404 Not found" linked to the first alarm (XSS). I don't want to create a "200 OK" rule because it will match all web trafic; but I want to create a rule that will only match traffic/response regarding the attack. This 2nd alarm can help me to see if the attack is a success or not in my SIEM (with correlation rules). Thanks for help/feedbacks, Thibault. ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Return/Response packets Thibault SOC (Dec 28)
- Re: Snort Return/Response packets Alex Kirk (Dec 28)
- Re: Snort Return/Response packets Thibault SOC (Dec 28)
- Re: Snort Return/Response packets Alex Kirk (Dec 28)