[Snort-sigs] Gathering the session for a two rule setup

Joshua Ochsankehl joshua.ochsankehl at ...2420...
Tue Jan 31 13:06:37 EST 2017


I can't put it up here due to business concerns but maybe I didn't explain
it very well.  The purpose is to capture traffic from the beginning of a
session with a no alert and a packet or more later capture the rest of the
session with a second rule.  The traffic still need to capture the entire
session in PCAP so that the identifying issue can be determined.  This is
to weed out the not founds and situations where the traffic was stopped.

On Mon, Jan 30, 2017 at 4:37 PM, Joel Esler (jesler) <jesler at ...3865...>
wrote:

> Can you capture a pcap of the traffic you are attempting to analyze and
> throw it on here?
>
> *--*
> *Joel Esler *| *Talos:* Manager | jesler at ...3865...
>
>
>
>
>
>
> On Jan 30, 2017, at 5:16 PM, Joshua Ochsankehl <
> joshua.ochsankehl at ...2420...> wrote:
>
> I am using an older version of Sourcefire 5 and I am trying to capture
> some traffic using two rules one looking for a specific uri string and this
> rule sets the flowbit and packet tagging for 10 packets also turned to
> noalert.  Then I wrote the second rule to capture the 200 OK response from
> the session looking for the flowbit.  This works but doesn't return to the
> session only the 200 OK.  Is there a keyword I am not thinking about?  and
> the noalert has no baring on the results.  I've tested just about every
> variation of this and can't seem to get it.  NOTE: I'm trying to avoid full
> packet capture and just need Full packet on a case by case basis.
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot______
> _________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170131/1b7c96c9/attachment.html>


More information about the Snort-sigs mailing list