-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, Aug 29, 2004 at 09:02:43AM +0200, Chris Kronberg wrote:
I'm trying to find a way to write rules provding the following:
Rule1 fires and sets another rule active, which fires on the
following traffic (if the criteria are met). Rule2 should never
fire without rule1 firing first.
Sounds like you want flowbits.
example:
alert tcp any any -> any any (msg:"rule1"; content:"FOO"; flowbits:
set,saw_foo;);
alert tcp any any -> any any (msg:"rule2"; content:"BAR"; flowbits:
isset,saw_foo;);
rule2 can't fire unless rule1 already fired for the existing flow. (which
brings up
the biggest (IMHO) limitation of flowbits; you can't use it to connect
different
flows together (say, ftp control and data sockets))
For more advanced rule progression like this, you might want to take a look at
Shoki (shoki.sourceforge.net). It's very very young, but I think it will fill
the gap between Snort and NFR if only people give it a little attention.
(and you know, no one says you have to have ONLY ONE IDS on your network...)
Beyond that, you probably want to look into using a correlation tool of some
kind to filter out the alerts for you. Just alert on anything interesting and
let the correlator sort it out.
(I strongly reccomend SEC (http://kodu.neti.ee/~risto/sec/) for this.)
- --
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQFBMf6uQ7EzrewLMS0RAvlUAKC/qP0advkLL9ILgr/neHQNRfeZWgCfQeX0
84FoXxGkIHi8x2oN5QdYuB4=
=fisb
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
