[Snort-sigs] filter session in both direction
Jingmin (Jimmy) Zhou
jimmy at ...1497...
Tue May 6 16:26:08 EDT 2003
I am trying to write a rule to filter content of a session in
both direction. For example, if Snort sees "foo" in the incoming
traffic and then "bar" in the out-going traffic for a web
session, it triggers an alert. Is it possible?
I write a rule as the follows, but it's not successful:
alert tcp $EXTERNAL_NET any <> $HTTP_SERVERS $HTTP_PORTS
(msg:"[TEST] WEB successful access"; content:"/mytest.exe";
content:"200 OK"; tag:session,512,packets; session:printable;
nocase; rev:1; sid:1000001;)
Thanks for hints!
Jingmin (Jimmy) Zhou Mail : jimmy AT mtc.dhs.org
Web : www.mtc.dhs.org ICQ : 19587415
The future is not set. There is no fate but what we make
for ourselves. - Terminator II, Judgement Day
More information about the Snort-sigs