snort rule- question about flowbits‏‏

[Dana Igra via Snort-sigs <snort-sigs () lists snort org>]

Hi!
I saw the blog on https://seclists.org/snort/, and I will be happy to use
your help with a question-

I'm trying to build a single session with flowbits to save the packets from
both rules in the same session.
My rules are similar to the following example (please ignore the content,
it is just for the example and not the problem):

    alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"example";
flow:to_server,established; content:"SMB"; depth:8;  content:"example1";
flowbits:set,example; sid:1234; rev:1; tag:session,100,packets,60,seconds;)
    alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"example";
flow:to_server,established; content:"SMB"; depth:8;  content:"example2";
flowbits:isset,example; sid:1235; rev:1;
tag:session,100,packets,60,seconds;)

 The good thing is that both of the rules work, and I have packets from
both of them.
The problem is that they are not saved in the same session. I want a single
session to be created when both of the contents are seen. Is there a way to
do that?
thanks!!

Dana

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!