[Snort-sigs] Connecting signatures?
smil at ...1754...
Tue Aug 31 03:42:03 EDT 2004
On Sun, 29 Aug 2004, Erik Fichtner wrote:
> On Sun, Aug 29, 2004 at 09:02:43AM +0200, Chris Kronberg wrote:
>> I'm trying to find a way to write rules provding the following:
>> Rule1 fires and sets another rule active, which fires on the
>> following traffic (if the criteria are met). Rule2 should never
>> fire without rule1 firing first.
> Sounds like you want flowbits.
> alert tcp any any -> any any (msg:"rule1"; content:"FOO"; flowbits: set,saw_foo;);
> alert tcp any any -> any any (msg:"rule2"; content:"BAR"; flowbits: isset,saw_foo;);
Great! Thank you very much. Works like charm. :-)
> For more advanced rule progression like this, you might want to take a look at
> Shoki (shoki.sourceforge.net). It's very very young, but I think it will fill
> the gap between Snort and NFR if only people give it a little attention.
> (and you know, no one says you have to have ONLY ONE IDS on your network...)
True. I'll take a look at Shoki.
More information about the Snort-sigs