[Snort-sigs] Multi Flow Alert

Curt Shaffer cshaffer at ...2420...
Wed Jan 13 10:33:16 EST 2010


I need to write a rule that will alert if I see the following characteristics.

Client establishes port 80 traffic to IP address A. Immediately after
the response of that flow, the same client establishes an SSL session
443 to the same destination.

I know this has potential for false positives as redirection is pretty
common but if I can create a variable like MALWARE_C2C with a list of
known IPs that this shouldn't happen to or possibly KNOWN_RDIR hosts
to keep a simple whitelist rather than blacklist.

Is this possible with Snort to alert across multiple flows. If so can
someone point me to some documentation on the directives needed or
give a simple example?

Thanks




More information about the Snort-sigs mailing list