Snort mailing list archives
snort rule- question about flowbits
From: Dana Igra via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 6 Jun 2022 17:58:16 +0300
Hi! I saw the blog on https://seclists.org/snort/, and I will be happy to use your help with a question- I'm trying to build a single session with flowbits to save the packets from both rules in the same session. My rules are similar to the following example (please ignore the content, it is just for the example and not the problem): alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"example"; flow:to_server,established; content:"SMB"; depth:8; content:"filename1"; flowbits:set,example; sid:1234; rev:1; tag:session,100,packets,60,seconds;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"example"; flow:to_server,established; content:"SMB"; depth:8; content:"filename2"; flowbits:isset,example; sid:1235; rev:1; tag:session,100,packets,60,seconds;) I’m looking for an SMB session that contains both files named “filename1” and a file named “filename2”. I know for sure that both of the files exist in the same session, but in different packets in this session. What I want to do, is to write some rules that will give me the full session containing both of the files. When I’m using the snorts above, I get 2 separate sessions and not the full one, because the second rule starts to "catch" the data only when it sees the content. The good thing is that both of the rules work, and I have packets from both of them. The problem is that they are not saved in the same session. I want a single session to be created when both of the contents are seen. Is there a way to do that? Thanks! Dana
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- snort rule- question about flowbits Dana Igra via Snort-sigs (Jun 07)