[Snort-users] Snort Return/Response packets

Alex Kirk akirk at ...1935...
Wed Dec 28 08:07:17 EST 2011


That's what flowbits are for. See here:
http://manual.snort.org/node32.html#SECTION004610000000000000000

On Wed, Dec 28, 2011 at 6:33 AM, Thibault SOC <thibaultsoc at ...11827...> wrote:

> Hi,
>
> I would like to know if snort can handle the response packets from an
> attack? As exemple for a web attack :
>
> If a "XSS attempt" rule match, i want to get another snort alarm based on
> HTTP response code like "200 OK", "403 Forbidden", "404 Not found" linked
> to the first alarm (XSS).
>
> I don't want to create a "200 OK" rule because it will match all web
> trafic; but I want to create a rule that will only match traffic/response
> regarding the attack.
>
> This 2nd alarm can help me to see if the attack is a success or not in my
> SIEM (with correlation rules).
>
> Thanks for help/feedbacks,
>
> Thibault.
>
>
> ------------------------------------------------------------------------------
> Write once. Port to many.
> Get the SDK and tools to simplify cross-platform app development. Create
> new or port existing apps to sell to consumers worldwide. Explore the
> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> http://p.sf.net/sfu/intel-appdev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111228/e4cc4fa7/attachment.html>


More information about the Snort-users mailing list