[Snort-users] Alarm rule specific to a network session

Knut Borg knutborg at ...11827...
Fri Mar 22 10:36:18 EDT 2013


Hey

I know this is mostly unlikely, but I'm willing to give it a shot. If you
create a detection rule based on a magic number of a specific file, is it
possible to make a new rule which will detect the footer of the file in
that specific session? I.e. the "footer" alarm will not trigger if no
header have been detected in the same session.





Knut
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130322/34af576f/attachment.html>


More information about the Snort-users mailing list