Hosting Provided By

[Snort-sigs] filter session in both direction

From: Jingmin (Jimmy) Zhou <jimmy(at)mtc.dhs.org>
Date: Tue May 06 2003 - 19:25:33 EDT

Hi,

I am trying to write a rule to filter content of a session in both direction. For example, if Snort sees "foo" in the incoming traffic and then "bar" in the out-going traffic for a web session, it triggers an alert. Is it possible?

I write a rule as the follows, but it's not successful:

alert tcp $EXTERNAL_NET any <> $HTTP_SERVERS $HTTP_PORTS (msg:"[TEST] WEB successful access"; content:"/mytest.exe"; content:"200 OK"; tag:session,512,packets; session:printable; nocase; rev:1; sid:1000001;)

Thanks for hints!

Jimmy

Jingmin (Jimmy) Zhou             Mail : jimmy AT mtc.dhs.org
Web : www.mtc.dhs.org             ICQ : 19587415

The future is not set.  There is no fate but what we make
for ourselves.             - Terminator II, Judgement Day

____________________________________________________________



-------------------------------------------------------

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue May 6 20:00:36 2003

This message: [ Message body ]
Next message: bmc(at)snort.org: "[Snort-sigs] snort-rules CURRENT update @ Tue May 6 20:15:27 2003"
Previous message: Phil Lyons: "RE: [Snort-sigs] MESSNGR SPAM Sig"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT