[Snort-users] Alarm rule specific to a network session

Joel Esler jesler at ...1935...
Fri Mar 22 10:45:58 EDT 2013

On Mar 22, 2013, at 10:36 AM, Knut Borg <knutborg at ...11827...> wrote:

> Hey
> I know this is mostly unlikely, but I'm willing to give it a shot. If you create a detection rule based on a magic number of a specific file, is it possible to make a new rule which will detect the footer of the file in that specific session? I.e. the "footer" alarm will not trigger if no header have been detected in the same session. 

Dear Knut,

Thanks for your email.  I believe you will find what you are looking for here: http://manual.snort.org/node470.html

Flowbits are a way to tie two rules together for one result.

Take a look at the file-identify.rules category for rules that detect different types of files, and if you have any rules written (or write any) that we don't already cover, we'd be glad to include them.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130322/905462a6/attachment.html>

More information about the Snort-users mailing list