[Snort-sigs] Multi Flow Alert

Matt Olney molney at ...435...
Wed Jan 13 22:34:08 EST 2010


Let me check with Patrick tomorrow on this.  He did some really nifty
cross-stream work on one of the Microsoft vulns a few months ago.  I'm
pretty sure the tricks he pulles are .SO only though.


On Wed, Jan 13, 2010 at 10:33 AM, Curt Shaffer <cshaffer at ...2420...> wrote:

> I need to write a rule that will alert if I see the following
> characteristics.
> Client establishes port 80 traffic to IP address A. Immediately after
> the response of that flow, the same client establishes an SSL session
> 443 to the same destination.
> I know this has potential for false positives as redirection is pretty
> common but if I can create a variable like MALWARE_C2C with a list of
> known IPs that this shouldn't happen to or possibly KNOWN_RDIR hosts
> to keep a simple whitelist rather than blacklist.
> Is this possible with Snort to alert across multiple flows. If so can
> someone point me to some documentation on the directives needed or
> give a simple example?
> Thanks
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and
> easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100113/06a3e04e/attachment.html>

More information about the Snort-sigs mailing list