[Oisf-devel] Does suricata have "activates/activated_by" as a rule option?
amit zala
impmails67 at gmail.com
Wed Aug 24 19:45:00 UTC 2016
Hi Victor,
Thanks for the prompt reply, xbits solved my problem. :)
-
Thanks
Amit
On Wed, Aug 24, 2016 at 10:23 PM, Victor Julien <lists at inliniac.net> wrote:
> On 24-08-16 18:52, amit zala wrote:
> > Hello Signature-writers/developers,
> >
> > Snort provides activates/activated_by as a post-detection rule_option.
> > You can read more about it here
> > (http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node34.html)
> >
> > Does suricata have this functionality? I tried to search it into
> > suricata user guide, but I was not able to find it.
> >
> > Basically , I want to trigger rule only if other rule has been
> > triggered. I can not use flowbits, because detection is being done on IP
> > protocol.
> >
> > Any help/pointer will be much appreciated.
>
> No, those options are not implemented.
>
> You could perhaps try xbits to set per ip pair or per host bits.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/
> participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160825/39d07248/attachment-0002.html>
More information about the Oisf-devel
mailing list