Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Linking Snort Rules

From: Mike Smith <yellowmikeroad () gmail com>
Date: Thu, 25 Aug 2016 17:37:33 +0100
Good Morning All,


Im hoping someone can help me. I have some traffic that I am attempting to
signature up but am encountering some difficulties.


First Ill briefly explain the traffic. Device A receives an SNMP request to
update its firmware, it then connects back via TFTP to download the
firmware file.


Now, I have a signature that detects the SNMP traffic fine (the MIB etc),
and I now want to detect the TFTP traffic following this, but I ONLY want
this FTP rule to be activated if the first rule (the SNMP rule) fires.
Obviously I cannot use Flowbits, and by trawling the other rules and manual
I can't really see anything that I believe would fit this criteria.


Any advice is appreciated,


Mike

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: