[Oisf-users] rule for inspecting first packet in tcp stream only

Justin Cinkelj justin.cinkelj at xlab.si
Thu Apr 25 13:40:30 UTC 2013

Previous message (by thread): [Oisf-users] IDS policy in the network
Next message (by thread): [Oisf-users] rule for inspecting first packet in tcp stream only
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

I would like to write rule to match relative to start of tcp stream.
Something like
alert tcp any any -> any 4444 (msg: "TEST-a"; content:"bla-bla"; 
offset:0; depth:7; sid:5002002; rev:1;)

This triggers, but matches start of every packet, and I would like to 
limit it to the first packet only.

Justin

Previous message (by thread): [Oisf-users] IDS policy in the network
Next message (by thread): [Oisf-users] rule for inspecting first packet in tcp stream only
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Oisf-users mailing list