[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Snort as IPS and correlation
From: <stephane.nasdrovisky () paradigmo ! com>
Date: 2015-04-10 18:32:59
Message-ID: 49A3818432D146D2A4E415A49C5EA6FB () HP4740S
[Download RAW message or body]
Ce message est composé et au format MIME.
[Attachment #2 (multipart/alternative)]
Ce message est composé et au format MIME.
My guess is flowbit: set in rule A.
flowbit: isset in rule B. (rule B takes action, not rule A)
The pdf manual (https://www.snort.org/documents/1 or \
https://www.snort.org/#documents): says
3: writing snort rules
3.6: non-payload detection rule options
3.6.10 flowbits
Most of the options need a user-defined name for the specific state that is being \
checked.
flowbits:[set|isset][, <GROUP_NAME>];
you'll find flowbit: set examples in some existing rules.
flowbit is described in "ips options" for snort 3/snort++
Other solution may come from other IDS like bro, prelude IDS or haka
Subject: [Snort-sigs] Snort as IPS and correlation
1- Snort receive a packet that matches with a rule [RULE A] (RULE A includes blocking \
source address in iptables through snortsam)
2- Action for [RULE A] stands in "standby" until another rule [RULE B] is matched
3- Once [RULE B] is matched, then [RULE A] performs actions configured on it.
[Attachment #5 (text/html)]
<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>My guess is flowbit: set in rule A.</DIV>
<DIV>flowbit: isset in rule B. (rule B takes action, not rule A)</DIV>
<DIV> </DIV>
<DIV>The pdf manual (<A
href="https://www.snort.org/documents/1">https://www.snort.org/documents/1</A>
or <A
href="https://www.snort.org/#documents):">https://www.snort.org/#documents):</A>
says</DIV>
<DIV>3: writing snort rules</DIV>
<DIV>3.6: non-payload detection rule options</DIV>
<DIV>3.6.10 flowbits</DIV>
<DIV>Most of the options need a user-defined name for the specific state that is
being checked.</DIV>
<DIV> </DIV>
<DIV>flowbits:[set|isset][, <GROUP_NAME>];</DIV>
<DIV> </DIV>
<DIV>you'll find flowbit: set examples in some existing rules.</DIV>
<DIV>flowbit is described in "ips options" for snort 3/snort++</DIV>
<DIV>Other solution may come from other IDS like bro, prelude IDS or haka</DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: \
normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'> <DIV style="FONT: 10pt \
tahoma"> <DIV> </DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>Subject:</B> [Snort-sigs] Snort as IPS and
correlation</DIV></DIV></DIV>
<DIV></DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: \
normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'><BR>1- Snort receive a \
packet that matches with a rule [RULE A] (RULE A includes blocking source address in \
iptables through snortsam)<BR><BR>2- Action for [RULE A] stands in "standby" until \
another rule [RULE B] is matched<BR><BR>3- Once [RULE B] is matched, then [RULE A] \
performs actions configured on it.<BR></DIV><BR></DIV></DIV></DIV></BODY></HTML>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic