[Snort-sigs] Gathering the session for a two rule setup

Joshua Ochsankehl joshua.ochsankehl at ...2420...
Mon Jan 30 17:16:49 EST 2017


I am using an older version of Sourcefire 5 and I am trying to capture some
traffic using two rules one looking for a specific uri string and this rule
sets the flowbit and packet tagging for 10 packets also turned to noalert.
Then I wrote the second rule to capture the 200 OK response from the
session looking for the flowbit.  This works but doesn't return to the
session only the 200 OK.  Is there a keyword I am not thinking about?  and
the noalert has no baring on the results.  I've tested just about every
variation of this and can't seem to get it.  NOTE: I'm trying to avoid full
packet capture and just need Full packet on a case by case basis.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170130/c75327f6/attachment.html>


More information about the Snort-sigs mailing list