[Snort-sigs] rule for Non-SSL traffic on SSL port?
jeff-kell at ...922...
Fri Jun 23 20:51:16 EDT 2006
Russell Fulton wrote:
> So, list: How does one write a set of rules that will look for
> something in the first packet of a TCP session to a particular port?
I have done rules to mark the "first packet" in a session, but not
conditionally, since you need to fire a couple of rules in sequence on
that first packet for it to work correctly. There's a lot of "smoke and
mirrors" surrounding the order in which rules are processed -- and it's
not necessarily sequentially as they appear in the rules files. It
isn't documented anywhere either (that I know of) other than as source
The basic idea is...
alert tcp $HOME_NET any -> $EXTERNAL_NET $your_port (flags:S+; flowbits:
set,flowstart; flowbits: noalert;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $your_port (flow: established;
flowbits: isset,flowstart; content:"whatever";)
alert tcp $HOME_NET any -> $EXTERNAL_NET $your_port (flowbits:
isset,flowstart; flowbits: unset,flowstart;)
which should work if the rules are processed in that order.
More information about the Snort-sigs