Snort mailing list archives
my flow rule doesn't work
From: Xing Star via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 15 Sep 2022 15:32:52 +0800
I make a rule to detect this pcap.But it seems not work at all.How can I do? Rule: alert tcp any any -> any any (msg:"TLS";flow:established,to_server;cotent:"|16 03 03|";content:"|14 03 03|";content:"|16 03 03|";content:"|17 03 03|";sid:87654321;rev:2;) I think it will work properly ,but it can match to 14 03 03 16 03 03, it can't match 17 03 03 . And if the rule like this :alert tcp any any -> any any (msg:"TLS";flow:established,to_server;cotent:"|16 03 03|";content:"|14 03 03|";content:"|16 03 03|";content:"|16 03 03|";sid:87654321;rev:2;) , it can match from head. I don't know why . Should I need to modify config file? Please help me ,thanks very much [image: image.png] [image: image.png] [image: image.png]
Attachment:
rule-testflow.pcap
Description:
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- my flow rule doesn't work Xing Star via Snort-sigs (Sep 15)
- Re: my flow rule doesn't work Patrick Mullen (Sep 16)