[Oisf-users] rule for inspecting first packet in tcp stream only
Matt
matt at somedamn.com
Thu Apr 25 14:38:31 UTC 2013
Maybe something like this (untested)?
alert tcp any any -> any 4444 (msg:"TEST-a"; content:"bla-bla";
offset:0; depth:7; flowbits:isnotset,ignore; flowbits:set,ignore;
sid:5002002; rev:1;)
Matt
On 4/25/2013 9:40 AM, Justin Cinkelj wrote:
> Hi
>
> I would like to write rule to match relative to start of tcp stream.
> Something like
> alert tcp any any -> any 4444 (msg: "TEST-a"; content:"bla-bla";
> offset:0; depth:7; sid:5002002; rev:1;)
>
> This triggers, but matches start of every packet, and I would like to
> limit it to the first packet only.
>
> Justin
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
More information about the Oisf-users
mailing list