[Snort-users] Alarm rule specific to a network session
jesler at ...1935...
Fri Mar 22 10:45:58 EDT 2013
On Mar 22, 2013, at 10:36 AM, Knut Borg <knutborg at ...11827...> wrote:
> I know this is mostly unlikely, but I'm willing to give it a shot. If you create a detection rule based on a magic number of a specific file, is it possible to make a new rule which will detect the footer of the file in that specific session? I.e. the "footer" alarm will not trigger if no header have been detected in the same session.
Thanks for your email. I believe you will find what you are looking for here: http://manual.snort.org/node470.html
Flowbits are a way to tie two rules together for one result.
Take a look at the file-identify.rules category for rules that detect different types of files, and if you have any rules written (or write any) that we don't already cover, we'd be glad to include them.
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users