Re: Advice on multiple packet capture

[jeffs <jeffs () speakeasy net>]

Leon I agree - after studying flowbits a bit I see that my requirement 
is not met by it.  Your suggestion of looking at the http_inspect 
flow_depth seems interesting and I will follow up.  I'm a bit of a 
newbie here so I may ask for some help or examples in the forum of using 
that option.

thanks for you help

Leon Ward wrote:
> Hi
>
> The flowbit is only valid for the stream where it has been set.
> The two GET's for the JPG files (as you stated) will be in separate 
> requests so flowbits wont help you here.
>
> Instead of focusing on the URI of the GET, how about you focus on the 
> HTML source of the web page that contains the <img src="a.jpg"> tags?
>
> Hints
>  - Check out http_inspect's flow_depth   
>  - Pay attention to the encoding used by the webserver serving the HTML.
>
> -Leon
>
>
> On 14 Jan 2009, at 07:39, pieter claassen wrote:
>
> > Yes, I agree. What you need to do is write two sets of rules that are 
> > statefull:
> >
> > Something like this:
> > Rule1: uricontent:a.jpg; flowbits:set, ajpg.seen; noalert
> > Rule2: flowbits:isset,ajpg.seen, uricontent:b.jpg; msg: "saw a.jpg 
> > and then b.jpg"
> > Rule3: uricontent:b.jpg; flowbits:set, bjpg.seen; noalert
> > Rule4: flowbits:isset,bjpg.seen; uricontent:a.jpg; msg: "saw b.jpg 
> > and then a.jpg"
> >
> > Regards,
> > Pieter
> >
> > On Mon, Jan 12, 2009 at 10:23 PM, jeffs <jeffs () speakeasy net 
> > <mailto:jeffs () speakeasy net>> wrote:
> >
> >     I've been using Snort and still consider myself a newbie although
> >     I am
> >     fairly familiar with writing basic rules.  Unfortunately, the feat I
> >     need to perform may need a more advanced set of eyes so I am hoping
> >     someone on this list may be able to help me out.
> >
> >     I need to get only 1 alert on two separate GET requests that contain
> >     different .jpg file names.
> >
> >     For example, there is a web page, it contains A.jpg and B.jpg.  If
> >     someone looks at it I want to be able to get one alert but NOT if
> >     they
> >     look at a different page which contains A.jpg and NOT B.jpg or
> >     still yet
> >     a different page that contains B.jpg and NOT A.jpg.  Only on the page
> >     the contains BOTH .jpgs should generate 1 alert.
> >
> >     I've tried the within keyword but I believe this only searches
> >     within a
> >     single packet and as the two separate jpg files are sent via two
> >     separate GET requests, I believe I am working with more than one
> >     packet,
> >     am I correct in that assumption?
> >
> >     thanks for any advice.
> >
> >
> >
> >     ------------------------------------------------------------------------------
> >     This SF.net email is sponsored by:
> >     SourcForge Community
> >     SourceForge wants to tell your story.
> >     http://p.sf.net/sfu/sf-spreadtheword
> >     _______________________________________________
> >     Snort-users mailing list
> >     Snort-users () lists sourceforge net
> >     <mailto:Snort-users () lists sourceforge net>
> >     Go to this URL to change user options or unsubscribe:
> >     https://lists.sourceforge.net/lists/listinfo/snort-users
> >     Snort-users
> >     <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
> >     list archive:
> >     http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > ------------------------------------------------------------------------------
> > This SF.net email is sponsored by:
> > SourcForge Community
> > SourceForge wants to tell your story.
> > http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users