Snort mailing list archives
Re: Gathering the session for a two rule setup
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 30 Jan 2017 22:37:32 +0000
Can you capture a pcap of the traffic you are attempting to analyze and throw it on here? -- Joel Esler | Talos: Manager | jesler () cisco com <mailto:jesler () cisco com>
On Jan 30, 2017, at 5:16 PM, Joshua Ochsankehl <joshua.ochsankehl () gmail com> wrote: I am using an older version of Sourcefire 5 and I am trying to capture some traffic using two rules one looking for a specific uri string and this rule sets the flowbit and packet tagging for 10 packets also turned to noalert. Then I wrote the second rule to capture the 200 OK response from the session looking for the flowbit. This works but doesn't return to the session only the 200 OK. Is there a keyword I am not thinking about? and the noalert has no baring on the results. I've tested just about every variation of this and can't seem to get it. NOTE: I'm trying to avoid full packet capture and just need Full packet on a case by case basis. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Attachment:
signature.asc
Description: Message signed with OpenPGP
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Gathering the session for a two rule setup Joshua Ochsankehl (Jan 30)
- Re: Gathering the session for a two rule setup Joel Esler (jesler) (Jan 30)
- Re: Gathering the session for a two rule setup Joshua Ochsankehl (Jan 31)
- Re: Gathering the session for a two rule setup Joel Esler (jesler) (Jan 30)