Snort mailing list archives
Re: Advice on multiple packet capture
From: bob harley <bobb.harley () gmail com>
Date: Wed, 14 Jan 2009 00:13:08 -0500
jeffs, Sounds like this may be an appropriate use for flowbits ( http://www.snort.org/archive-3-717.html). On Mon, Jan 12, 2009 at 4:23 PM, jeffs <jeffs () speakeasy net> wrote:
I've been using Snort and still consider myself a newbie although I am fairly familiar with writing basic rules. Unfortunately, the feat I need to perform may need a more advanced set of eyes so I am hoping someone on this list may be able to help me out. I need to get only 1 alert on two separate GET requests that contain different .jpg file names. For example, there is a web page, it contains A.jpg and B.jpg. If someone looks at it I want to be able to get one alert but NOT if they look at a different page which contains A.jpg and NOT B.jpg or still yet a different page that contains B.jpg and NOT A.jpg. Only on the page the contains BOTH .jpgs should generate 1 alert. I've tried the within keyword but I believe this only searches within a single packet and as the two separate jpg files are sent via two separate GET requests, I believe I am working with more than one packet, am I correct in that assumption? thanks for any advice. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Advice on multiple packet capture jeffs (Jan 12)
- Re: Advice on multiple packet capture bob harley (Jan 13)
- Re: Advice on multiple packet capture pieter claassen (Jan 13)
- Re: Advice on multiple packet capture Leon Ward (Jan 14)
- Re: Advice on multiple packet capture Matt Olney (Jan 14)
- Re: Advice on multiple packet capture jeffs (Jan 14)
- Re: Advice on multiple packet capture Leon Ward (Jan 14)