Snort mailing list archives
Re: Linking Snort Rules
From: Mike Smith <yellowmikeroad () gmail com>
Date: Thu, 25 Aug 2016 18:14:04 +0100
Al, Thanks for your time in getting back to me. I did quickly glance over it, however I read that it was being phased out, so in turn decided that it was best to invest time into learning a technique that wasn't going anywhere soon. In your experience is this actually perhaps the best route to go down? Regards, Mike On Thu, Aug 25, 2016 at 5:55 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
Hello, Have you tired using “activate” or “tagging”? http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html# SECTION00426000000000000000 *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING SOURCE*fire*, Inc. now part of *Cisco* Email: allewi () cisco com From: Mike Smith <yellowmikeroad () gmail com> Date: Thursday, August 25, 2016 at 12:37 PM To: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net> Subject: [Snort-sigs] Linking Snort Rules Good Morning All, Im hoping someone can help me. I have some traffic that I am attempting to signature up but am encountering some difficulties. First Ill briefly explain the traffic. Device A receives an SNMP request to update its firmware, it then connects back via TFTP to download the firmware file. Now, I have a signature that detects the SNMP traffic fine (the MIB etc), and I now want to detect the TFTP traffic following this, but I ONLY want this FTP rule to be activated if the first rule (the SNMP rule) fires. Obviously I cannot use Flowbits, and by trawling the other rules and manual I can't really see anything that I believe would fit this criteria. Any advice is appreciated, Mike
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Linking Snort Rules Mike Smith (Aug 25)
- Re: Linking Snort Rules Al Lewis (allewi) (Aug 25)
- Re: Linking Snort Rules Mike Smith (Aug 25)
- Message not available
- Message not available
- Re: Linking Snort Rules Mike Smith (Aug 25)
- Re: Linking Snort Rules Mike Smith (Aug 25)
- Re: Linking Snort Rules Al Lewis (allewi) (Aug 25)