[Snort-openappid] Rules to detect flows?

dpifun at ...43... dpifun at ...43...
Sat Nov 1 19:46:58 EDT 2014

We're trying to detect apps with rules to get the IP, port pair. But,
we've run into a snag. 
A simple rule for detecting SSH connections regardless of the port:
alert tcp any any -> any any (msg:”ssh”; appid: ssh openssh;
sid:1000000; rev:1)
This rule, however, creates a huge number of alerts for a single SSH
connection.  While we're not snort rule experts, using flowbits seems
to be the way. But, we're a bit lost on how to get  ONLY an alert at
the beginning of an SSH connection and at the end. It would be cool if
we could get the number of bytes sent/received for the connection but
that seems impossible.
We tried using the S and F flags without success.
Any help appreciated!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141101/a5b0f4a0/attachment.html>

More information about the Snort-openappid mailing list