[Oisf-users] rule for inspecting first packet in tcp stream only
Justin Cinkelj
justin.cinkelj at xlab.si
Thu Apr 25 15:22:03 UTC 2013
Does not do exactly what I want, but it is already much closer :)
alert tcp any any -> any 4444 (msg: "TEST-a"; content:"bla-bla";
offset:0; depth:7; sid:5002002; rev:1;)
alert tcp any any -> any 4444 (msg:"TEST-b"; content:"bla-bla";
offset:0; depth:7; flowbits:isnotset,ignore; flowbits:set,ignore;
sid:5002003; rev:1;)
Sending via netcat
sssssssss
bla-bla
bla-bla
^C
Second line triggers both TEST-a and -b, but the third line triggers
only -a rule.
I will now look toward flowbits.
Justin
On 04/25/2013 04:38 PM, Matt wrote:
> Maybe something like this (untested)?
>
> alert tcp any any -> any 4444 (msg:"TEST-a"; content:"bla-bla";
> offset:0; depth:7; flowbits:isnotset,ignore; flowbits:set,ignore;
> sid:5002002; rev:1;)
>
> Matt
>
> On 4/25/2013 9:40 AM, Justin Cinkelj wrote:
>> Hi
>>
>> I would like to write rule to match relative to start of tcp stream.
>> Something like
>> alert tcp any any -> any 4444 (msg: "TEST-a"; content:"bla-bla";
>> offset:0; depth:7; sid:5002002; rev:1;)
>>
>> This triggers, but matches start of every packet, and I would like to
>> limit it to the first packet only.
>>
>> Justin
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
More information about the Oisf-users
mailing list