<div dir="ltr">Thanks everyone! Got this working exactly as expected. </div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 14, 2017 at 12:47 PM, Travis Green <span dir="ltr"><<a href="mailto:travis@travisgreen.net" target="_blank">travis@travisgreen.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Erik, you likely want: <div><br></div><div>$HOME_NET -> $EXTERNAL_NET with flow:established,to_server; </div><div><br></div><div>Would also recommend setting a flowbit on the inbound traffic and check isset on this outbound traffic. The ET netwire rat sigs are similar, might make a good template (2021290).</div><div><br></div><div>HTH,</div><div>-T</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Fri, Jul 14, 2017 at 9:58 AM, erik clark <span dir="ltr"><<a href="mailto:philosnef@gmail.com" target="_blank">philosnef@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">I have a flow and data question about a signature I am trying to write.<div><br></div><div>I have a remote source initiating a connection to a local address, which then responds to the remote source with a given hex string 4 bytes long, offset 0.</div><div><br></div><div>I am looking at this:</div><div><br></div><div><a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords" target="_blank">https://redmine.openinfosecfou<wbr>ndation.org/projects/suricata/<wbr>wiki/Flow-keywords</a><br></div><div><br></div><div>but don't quite follow if I should use flow:from_server with src internal dest external, or established (which means it already was inspected as having a remote handshake with a local response that I am trying to alert off of?)</div><div><br></div><div>Thanks!</div><div><br></div></div>
<br></div></div>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/train<wbr>ing/</a><span class="HOEnZb"><font color="#888888"><br></font></span></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div class="m_3809842961226194117gmail_signature" data-smartmail="gmail_signature">PGP: ABE625E6<br><a href="http://keybase.io/travisbgreen" target="_blank">keybase.io/travisbgreen</a></div>
</font></span></div>
</blockquote></div><br></div>