[Snort-users] Alert on logical detection
ljuin at ...7353...
Tue Oct 29 23:59:02 EST 2002
I would like to alert only when snort sees a HTTP paquet from a host
AND does NOT see an other HTTP packet from the same host within the
next 15 seconds.
How do you write this logical match with snort rules ?
I think about the following :
First solution :
I can do it with the tag option to log all the packet from the
source host during the 15 seconds.
var MY_NET 192.168.1.0/24
var MY_CGI_SERVER 192.168.1.1
var MY_IMAGE_SERVER 192.168.1.2
var HTTP 80
alert tcp !$MY_NET any -> $MY_CGI_SERVER $HTPP (content:"GET";
content:".cgi"; tag: host, 15, seconds, src; msg:"Get CGI")
And I will do post analysis from the log to see if the source host
does or not request a GET to $MY_IMAGE_SERVER.
But the growing traffic will overflow the logging and analysis process.
Second solution :
log tcp !$MY_NET any -> $MY_CGI_SERVER $HTPP (content:"GET";
content:".cgi"; msg:"Get CGI"; log: host-get-cgi.file)
log tcp !$MY_NET any -> $MY_IMAGE_SERVER $HTPP (content:"GET";
content:".jpg"; msg:"Get JPEG"; log: host-get-image.file)
And I will do
diff host-get-cgi.file host-get-image.file
to get the host that did NOT requet the $MY_IMAGE_SERVER.
But I cannot react with in 15 seconds.
Third solution :
Can you write an other solution ?
More information about the Snort-users