Snort mailing list archives
Re: Alarm rule specific to a network session
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 22 Mar 2013 10:45:58 -0400
On Mar 22, 2013, at 10:36 AM, Knut Borg <knutborg () gmail com> wrote:
Hey I know this is mostly unlikely, but I'm willing to give it a shot. If you create a detection rule based on a magic number of a specific file, is it possible to make a new rule which will detect the footer of the file in that specific session? I.e. the "footer" alarm will not trigger if no header have been detected in the same session.
Dear Knut, Thanks for your email. I believe you will find what you are looking for here: http://manual.snort.org/node470.html Flowbits are a way to tie two rules together for one result. Take a look at the file-identify.rules category for rules that detect different types of files, and if you have any rules written (or write any) that we don't already cover, we'd be glad to include them. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Alarm rule specific to a network session Knut Borg (Mar 22)
- Re: Alarm rule specific to a network session Joel Esler (Mar 22)