[Snort-sigs] Snort as IPS and correlation

stephane.nasdrovisky at ...2835... stephane.nasdrovisky at ...2835...
Fri Apr 10 14:32:59 EDT 2015

My guess is flowbit: set in rule A.
flowbit: isset in rule B. (rule B takes action, not rule A)

The pdf manual (https://www.snort.org/documents/1 or https://www.snort.org/#documents): says
3: writing snort rules
3.6: non-payload detection rule options
3.6.10 flowbits
Most of the options need a user-defined name for the specific state that is being checked.

flowbits:[set|isset][, <GROUP_NAME>];

you'll find flowbit: set examples in some existing rules.
flowbit is described in “ips options” for snort 3/snort++
Other solution may come from other IDS like bro, prelude IDS or haka

Subject: [Snort-sigs] Snort as IPS and correlation

1- Snort receive a packet that matches with a rule [RULE A] (RULE A includes blocking source address in iptables through snortsam)

2- Action for [RULE A] stands in "standby" until another rule [RULE B] is matched

3- Once [RULE B] is matched, then [RULE A] performs actions configured on it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150410/176893e2/attachment.html>

More information about the Snort-sigs mailing list