[Snort-sigs] rule for Non-SSL traffic on SSL port?

Jeff Kell jeff-kell at ...922...
Fri Jun 23 20:51:16 EDT 2006

Russell Fulton wrote:
> So, list:  How does one write a set of rules that will look for
> something in the first packet of a TCP session to a particular port?
I have done rules to mark the "first packet" in a session, but not 
conditionally, since you need to fire a couple of rules in sequence on 
that first packet for it to work correctly.  There's a lot of "smoke and 
mirrors" surrounding the order in which rules are processed -- and it's 
not necessarily sequentially as they appear in the rules files.  It 
isn't documented anywhere either (that I know of) other than as source 
code :)

The basic idea is...

alert tcp $HOME_NET any -> $EXTERNAL_NET $your_port (flags:S+; flowbits: 
set,flowstart; flowbits: noalert;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $your_port (flow: established; 
flowbits: isset,flowstart; content:"whatever";)

alert tcp $HOME_NET any -> $EXTERNAL_NET $your_port (flowbits: 
isset,flowstart; flowbits: unset,flowstart;)

which should work if the rules are processed in that order.

More information about the Snort-sigs mailing list