[Snort-users] Snort Return/Response packets

Thibault SOC thibaultsoc at ...11827...
Wed Dec 28 06:33:05 EST 2011


I would like to know if snort can handle the response packets from an
attack? As exemple for a web attack :

If a "XSS attempt" rule match, i want to get another snort alarm based on
HTTP response code like "200 OK", "403 Forbidden", "404 Not found" linked
to the first alarm (XSS).

I don't want to create a "200 OK" rule because it will match all web
trafic; but I want to create a rule that will only match traffic/response
regarding the attack.

This 2nd alarm can help me to see if the attack is a success or not in my
SIEM (with correlation rules).

Thanks for help/feedbacks,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111228/bff85680/attachment.html>

More information about the Snort-users mailing list