Snort mailing list archives
snort rule- question about flowbits
From: Dana Igra via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 14 Apr 2022 15:06:21 +0300
Hi! I saw the blog on https://seclists.org/snort/, and I will be happy to use your help with a question- I'm trying to build a single session with flowbits to save the packets from both rules in the same session. My rules are similar to the following example (please ignore the content, it is just for the example and not the problem): alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"example"; flow:to_server,established; content:"SMB"; depth:8; content:"example1"; flowbits:set,example; sid:1234; rev:1; tag:session,100,packets,60,seconds;) alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"example"; flow:to_server,established; content:"SMB"; depth:8; content:"example2"; flowbits:isset,example; sid:1235; rev:1; tag:session,100,packets,60,seconds;) The good thing is that both of the rules work, and I have packets from both of them. The problem is that they are not saved in the same session. I want a single session to be created when both of the contents are seen. Is there a way to do that? thanks!! Dana
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- snort rule- question about flowbits Dana Igra via Snort-sigs (Apr 14)