<div dir="ltr">Erik, you likely want: <div><br></div><div>$HOME_NET -> $EXTERNAL_NET with flow:established,to_server; </div><div><br></div><div>Would also recommend setting a flowbit on the inbound traffic and check isset on this outbound traffic. The ET netwire rat sigs are similar, might make a good template (2021290).</div><div><br></div><div>HTH,</div><div>-T</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 14, 2017 at 9:58 AM, erik clark <span dir="ltr"><<a href="mailto:philosnef@gmail.com" target="_blank">philosnef@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I have a flow and data question about a signature I am trying to write.<div><br></div><div>I have a remote source initiating a connection to a local address, which then responds to the remote source with a given hex string 4 bytes long, offset 0.</div><div><br></div><div>I am looking at this:</div><div><br></div><div><a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords" target="_blank">https://redmine.<wbr>openinfosecfoundation.org/<wbr>projects/suricata/wiki/Flow-<wbr>keywords</a><br></div><div><br></div><div>but don't quite follow if I should use flow:from_server with src internal dest external, or established (which means it already was inspected as having a remote handshake with a local response that I am trying to alert off of?)</div><div><br></div><div>Thanks!</div><div><br></div></div>
<br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">PGP: ABE625E6<br><a href="http://keybase.io/travisbgreen" target="_blank">keybase.io/travisbgreen</a></div>
</div>