Snort mailing list archives
Re: Snort as IPS and correlation
From: <stephane.nasdrovisky () paradigmo com>
Date: Fri, 10 Apr 2015 20:32:59 +0200
My guess is flowbit: set in rule A. flowbit: isset in rule B. (rule B takes action, not rule A) The pdf manual (https://www.snort.org/documents/1 or https://www.snort.org/#documents): says 3: writing snort rules 3.6: non-payload detection rule options 3.6.10 flowbits Most of the options need a user-defined name for the specific state that is being checked. flowbits:[set|isset][, <GROUP_NAME>]; you'll find flowbit: set examples in some existing rules. flowbit is described in “ips options” for snort 3/snort++ Other solution may come from other IDS like bro, prelude IDS or haka Subject: [Snort-sigs] Snort as IPS and correlation 1- Snort receive a packet that matches with a rule [RULE A] (RULE A includes blocking source address in iptables through snortsam) 2- Action for [RULE A] stands in "standby" until another rule [RULE B] is matched 3- Once [RULE B] is matched, then [RULE A] performs actions configured on it.
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort as IPS and correlation Daniel Lopez (Apr 10)
- Re: Snort as IPS and correlation lists () packetmail net (Apr 10)
- Re: Snort as IPS and correlation James Lay (Apr 10)
- Re: Snort as IPS and correlation stephane.nasdrovisky (Apr 10)