[Snort-users] Snort Return/Response packets

Thibault SOC thibaultsoc at ...11827...
Wed Dec 28 08:19:51 EST 2011


Hi,

Yes it does exactly what i want. thanks for help.

Thibault

2011/12/28 Alex Kirk <akirk at ...1935...>

> That's what flowbits are for. See here:
> http://manual.snort.org/node32.html#SECTION004610000000000000000
>
> On Wed, Dec 28, 2011 at 6:33 AM, Thibault SOC <thibaultsoc at ...11827...>wrote:
>
>> Hi,
>>
>> I would like to know if snort can handle the response packets from an
>> attack? As exemple for a web attack :
>>
>> If a "XSS attempt" rule match, i want to get another snort alarm based on
>> HTTP response code like "200 OK", "403 Forbidden", "404 Not found" linked
>> to the first alarm (XSS).
>>
>> I don't want to create a "200 OK" rule because it will match all web
>> trafic; but I want to create a rule that will only match traffic/response
>> regarding the attack.
>>
>> This 2nd alarm can help me to see if the attack is a success or not in my
>> SIEM (with correlation rules).
>>
>> Thanks for help/feedbacks,
>>
>> Thibault.
>>
>>
>> ------------------------------------------------------------------------------
>> Write once. Port to many.
>> Get the SDK and tools to simplify cross-platform app development. Create
>> new or port existing apps to sell to consumers worldwide. Explore the
>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
>> http://p.sf.net/sfu/intel-appdev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> --
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk at ...1935...
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111228/6e388961/attachment.html>


More information about the Snort-users mailing list