Re: Snort as IPS and correlation

[<stephane.nasdrovisky () paradigmo com>]

My guess is flowbit: set in rule A.
flowbit: isset in rule B. (rule B takes action, not rule A)

The pdf manual (https://www.snort.org/documents/1 or https://www.snort.org/#documents): says
3: writing snort rules
3.6: non-payload detection rule options
3.6.10 flowbits
Most of the options need a user-defined name for the specific state that is being checked.

flowbits:[set|isset][, <GROUP_NAME>];

you'll find flowbit: set examples in some existing rules.
flowbit is described in “ips options” for snort 3/snort++
Other solution may come from other IDS like bro, prelude IDS or haka

Subject: [Snort-sigs] Snort as IPS and correlation

1- Snort receive a packet that matches with a rule [RULE A] (RULE A includes blocking source address in iptables 
through snortsam)

2- Action for [RULE A] stands in "standby" until another rule [RULE B] is matched

3- Once [RULE B] is matched, then [RULE A] performs actions configured on it.

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!