Re: Gathering the session for a two rule setup

[Joshua Ochsankehl <joshua.ochsankehl () gmail com>]

I can't put it up here due to business concerns but maybe I didn't explain
it very well.  The purpose is to capture traffic from the beginning of a
session with a no alert and a packet or more later capture the rest of the
session with a second rule.  The traffic still need to capture the entire
session in PCAP so that the identifying issue can be determined.  This is
to weed out the not founds and situations where the traffic was stopped.

On Mon, Jan 30, 2017 at 4:37 PM, Joel Esler (jesler) <jesler () cisco com>
wrote:

> Can you capture a pcap of the traffic you are attempting to analyze and
> throw it on here?
>
> *--*
> *Joel Esler *| *Talos:* Manager | jesler () cisco com
>
>
>
>
>
>
> On Jan 30, 2017, at 5:16 PM, Joshua Ochsankehl <
> joshua.ochsankehl () gmail com> wrote:
>
> I am using an older version of Sourcefire 5 and I am trying to capture
> some traffic using two rules one looking for a specific uri string and this
> rule sets the flowbit and packet tagging for 10 packets also turned to
> noalert.  Then I wrote the second rule to capture the 200 OK response from
> the session looking for the flowbit.  This works but doesn't return to the
> session only the 200 OK.  Is there a keyword I am not thinking about?  and
> the noalert has no baring on the results.  I've tested just about every
> variation of this and can't seem to get it.  NOTE: I'm trying to avoid full
> packet capture and just need Full packet on a case by case basis.
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot______
> _________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!