Snort mailing list archives
Re: Multi Flow Alert
From: Matt Olney <molney () sourcefire com>
Date: Wed, 13 Jan 2010 22:34:08 -0500
Curt, Let me check with Patrick tomorrow on this. He did some really nifty cross-stream work on one of the Microsoft vulns a few months ago. I'm pretty sure the tricks he pulles are .SO only though. Matt On Wed, Jan 13, 2010 at 10:33 AM, Curt Shaffer <cshaffer () gmail com> wrote:
I need to write a rule that will alert if I see the following characteristics. Client establishes port 80 traffic to IP address A. Immediately after the response of that flow, the same client establishes an SSL session 443 to the same destination. I know this has potential for false positives as redirection is pretty common but if I can create a variable like MALWARE_C2C with a list of known IPs that this shouldn't happen to or possibly KNOWN_RDIR hosts to keep a simple whitelist rather than blacklist. Is this possible with Snort to alert across multiple flows. If so can someone point me to some documentation on the directives needed or give a simple example? Thanks ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Multi Flow Alert Curt Shaffer (Jan 13)
- Re: Multi Flow Alert Matt Olney (Jan 13)