[Snort-sigs] Connecting signatures?
emf at ...4...
Sun Aug 29 09:06:07 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Sun, Aug 29, 2004 at 09:02:43AM +0200, Chris Kronberg wrote:
> I'm trying to find a way to write rules provding the following:
> Rule1 fires and sets another rule active, which fires on the
> following traffic (if the criteria are met). Rule2 should never
> fire without rule1 firing first.
Sounds like you want flowbits.
alert tcp any any -> any any (msg:"rule1"; content:"FOO"; flowbits: set,saw_foo;);
alert tcp any any -> any any (msg:"rule2"; content:"BAR"; flowbits: isset,saw_foo;);
rule2 can't fire unless rule1 already fired for the existing flow. (which brings up
the biggest (IMHO) limitation of flowbits; you can't use it to connect different
flows together (say, ftp control and data sockets))
For more advanced rule progression like this, you might want to take a look at
Shoki (shoki.sourceforge.net). It's very very young, but I think it will fill
the gap between Snort and NFR if only people give it a little attention.
(and you know, no one says you have to have ONLY ONE IDS on your network...)
Beyond that, you probably want to look into using a correlation tool of some
kind to filter out the alerts for you. Just alert on anything interesting and
let the correlator sort it out.
(I strongly reccomend SEC (http://kodu.neti.ee/~risto/sec/) for this.)
Principal Engineer, Information Security, ServerVault Corp.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
-----END PGP SIGNATURE-----
More information about the Snort-sigs