[Snort-sigs] Connecting signatures?

Matthew Watchinski mwatchinski at ...435...
Sun Aug 29 09:20:01 EDT 2004


If condition 1 and 2 are part of the same session then you can use 
flowbits.  Flowbits works like the following

Rule 1 - flowbits:set,something.happended;

Rule 2 - flowbits:isset,something.happended;

In Rule 1 you can also set another option "noalert" so you don't get 
alerted if only the first condition happens.

flowbits is supported in 2.1.3 and above.

Hope that helps.

Cheers,
-matt

Chris Kronberg wrote:

> On Sun, 29 Aug 2004, Keith W. McCammon wrote:
>
>>
>> I believe that activate/dynamic rules are still an option in the
>> current release.  You can read about these in the manual:
>> http://www.snort.org/docs/snort_manual/node16.html.  Note, however,
>> that these may not be around in future releases.
>
>
>   The activate/dynamic rules are still there, they work but they
>   don't do what I want. Yes, number1 activates number 2, but as
>   with tagging just to capture more of the traffic. At least
>   according to the manual there is nothing more about that.
>   I tried to convince the second rule to give at least a message
>   but no avail.
>   If there is a way to accomplish my goal with these tags I'd
>   love to hear about that.
>
>   Cheers,
>
>                                                 Chris Kronberg.
>
>
>> On Sun, 29 Aug 2004 09:02:43 +0200 (CEST), Chris Kronberg
>> <smil at ...1754...> wrote:
>>
>>>
>>>    Hi,
>>>
>>>    I'm trying to find a way to write rules provding the following:
>>>    Rule1 fires and sets another rule active, which fires on the
>>>    following traffic (if the criteria are met). Rule2 should never
>>>    fire without rule1 firing first.
>>>    First I thought, I can do that with tagging but it seems that
>>>    tagging only allows me to save more of the triggered connection
>>>    for a later analysis (which is a fine thing in itself).
>>>    Is there any way to accomplish something like that?
>>>
>>>    Cheers,
>>>
>>>                                                   Chris Kronberg.
>>>
>>> -------------------------------------------------------
>>> This SF.Net email is sponsored by BEA Weblogic Workshop
>>> FREE Java Enterprise J2EE developer tools!
>>> Get your free copy of BEA WebLogic Workshop 8.1 today.
>>> http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by BEA Weblogic Workshop
>> FREE Java Enterprise J2EE developer tools!
>> Get your free copy of BEA WebLogic Workshop 8.1 today.
>> http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list