[Snort-sigs] Connecting signatures?

Erik Fichtner emf at ...4...
Sun Aug 29 09:06:07 EDT 2004

Hash: SHA1

On Sun, Aug 29, 2004 at 09:02:43AM +0200, Chris Kronberg wrote:
>    I'm trying to find a way to write rules provding the following:
>    Rule1 fires and sets another rule active, which fires on the
>    following traffic (if the criteria are met). Rule2 should never
>    fire without rule1 firing first.

Sounds like you want flowbits.


alert tcp any any -> any any (msg:"rule1"; content:"FOO"; flowbits: set,saw_foo;);
alert tcp any any -> any any (msg:"rule2"; content:"BAR"; flowbits: isset,saw_foo;);

rule2 can't fire unless rule1 already fired for the existing flow.  (which brings up
the biggest (IMHO) limitation of flowbits;  you can't use it to connect different
flows together (say, ftp control and data sockets))

For more advanced rule progression like this, you might want to take a look at
Shoki (shoki.sourceforge.net).   It's very very young, but I think it will fill 
the gap between Snort and NFR if only people give it a little attention.
(and you know, no one says you have to have ONLY ONE IDS on your network...)

Beyond that, you probably want to look into using a correlation tool of some
kind to filter out the alerts for you.   Just alert on anything interesting and
let the correlator sort it out.
(I strongly reccomend SEC (http://kodu.neti.ee/~risto/sec/) for this.)

- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
Version: GnuPG v1.0.7 (FreeBSD)


More information about the Snort-sigs mailing list