Gathering the session for a two rule setup

[Joshua Ochsankehl <joshua.ochsankehl () gmail com>]

I am using an older version of Sourcefire 5 and I am trying to capture some
traffic using two rules one looking for a specific uri string and this rule
sets the flowbit and packet tagging for 10 packets also turned to noalert.
Then I wrote the second rule to capture the 200 OK response from the
session looking for the flowbit.  This works but doesn't return to the
session only the 200 OK.  Is there a keyword I am not thinking about?  and
the noalert has no baring on the results.  I've tested just about every
variation of this and can't seem to get it.  NOTE: I'm trying to avoid full
packet capture and just need Full packet on a case by case basis.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!