Re: Alarm rule specific to a network session

[Joel Esler <jesler () sourcefire com>]

On Mar 22, 2013, at 10:36 AM, Knut Borg <knutborg () gmail com> wrote:

> Hey
>
> I know this is mostly unlikely, but I'm willing to give it a shot. If you create a detection rule based on a magic 
> number of a specific file, is it possible to make a new rule which will detect the footer of the file in that 
> specific session? I.e. the "footer" alarm will not trigger if no header have been detected in the same session. 


Dear Knut,

Thanks for your email.  I believe you will find what you are looking for here: http://manual.snort.org/node470.html

Flowbits are a way to tie two rules together for one result.

Take a look at the file-identify.rules category for rules that detect different types of files, and if you have any 
rules written (or write any) that we don't already cover, we'd be glad to include them.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!