Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linking Snort Rules

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Thu, 25 Aug 2016 16:55:38 +0000
Hello,

Have you tired using “activate” or “tagging”?

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html#SECTION00426000000000000000



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Mike Smith <yellowmikeroad () gmail com<mailto:yellowmikeroad () gmail com>>
Date: Thursday, August 25, 2016 at 12:37 PM
To: "snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>" <snort-sigs () lists sourceforge 
net<mailto:snort-sigs () lists sourceforge net>>
Subject: [Snort-sigs] Linking Snort Rules


Good Morning All,


Im hoping someone can help me. I have some traffic that I am attempting to signature up but am encountering some 
difficulties.


First Ill briefly explain the traffic. Device A receives an SNMP request to update its firmware, it then connects back 
via TFTP to download the firmware file.


Now, I have a signature that detects the SNMP traffic fine (the MIB etc), and I now want to detect the TFTP traffic 
following this, but I ONLY want this FTP rule to be activated if the first rule (the SNMP rule) fires. Obviously I 
cannot use Flowbits, and by trawling the other rules and manual I can't really see anything that I believe would fit 
this criteria.


Any advice is appreciated,


Mike


------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: