Snort mailing list archives

Alarm rule specific to a network session

From: Knut Borg <knutborg () gmail com>
Date: Fri, 22 Mar 2013 15:36:18 +0100

Hey

I know this is mostly unlikely, but I'm willing to give it a shot. If you
create a detection rule based on a magic number of a specific file, is it
possible to make a new rule which will detect the footer of the file in
that specific session? I.e. the "footer" alarm will not trigger if no
header have been detected in the same session.





Knut

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Alarm rule specific to a network session Knut Borg (Mar 22)
- Re: Alarm rule specific to a network session Joel Esler (Mar 22)