Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: my flow rule doesn't work

From: Patrick Mullen <pmullen () sourcefire com>
Date: Fri, 16 Sep 2022 14:25:32 -0400
The "|17 03 03|" is never in a packet with the "|16 03 03|".  It looks like
they are message types, from opposite sides of the connection.  Since they
are in different packets, from different devices, they won't match a single
rule since they're never seen together.


Thanks,

~Patrick


On Thu, Sep 15, 2022 at 3:54 PM Xing Star via Snort-sigs <
snort-sigs () lists snort org> wrote:


I make a rule to detect this pcap.But it seems not work at all.How can I
do?
Rule:
alert tcp any any -> any any
(msg:"TLS";flow:established,to_server;cotent:"|16 03 03|";content:"|14 03
03|";content:"|16 03 03|";content:"|17 03 03|";sid:87654321;rev:2;)
I think it will work properly  ,but it can match to 14 03 03 16 03 03, it
can't match 17 03 03 .
And if the rule like this :alert tcp any any -> any any
(msg:"TLS";flow:established,to_server;cotent:"|16 03 03|";content:"|14 03
03|";content:"|16 03 03|";content:"|16 03 03|";sid:87654321;rev:2;) , it
can match from head.
I don't know why . Should I need to modify config file?
Please help me ,thanks very much
[image: image.png]
[image: image.png]
[image: image.png]

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!




-- 
Patrick Mullen
Response Research Manager
Cisco TALOS


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: