[Snort-sigs] filter session in both direction

Jingmin (Jimmy) Zhou jimmy at ...1497...
Tue May 6 16:26:08 EDT 2003


Hi,

I am trying to write a rule to filter content of a session in
both direction. For example, if Snort sees "foo" in the incoming
traffic and then "bar" in the out-going traffic for a web
session, it triggers an alert. Is it possible?

I write a rule as the follows, but it's not successful:

alert tcp $EXTERNAL_NET any <> $HTTP_SERVERS $HTTP_PORTS
(msg:"[TEST] WEB successful access"; content:"/mytest.exe";
content:"200 OK"; tag:session,512,packets; session:printable;
nocase; rev:1; sid:1000001;)


Thanks for hints!

Jimmy

____________________________________________________________
Jingmin (Jimmy) Zhou             Mail : jimmy AT mtc.dhs.org
Web : www.mtc.dhs.org             ICQ : 19587415

The future is not set.  There is no fate but what we make
for ourselves.             - Terminator II, Judgement Day
____________________________________________________________




More information about the Snort-sigs mailing list