[Oisf-users] rule for inspecting first packet in tcp stream only
Anoop Saldanha
anoopsaldanha at gmail.com
Thu Apr 25 15:23:01 UTC 2013
On Thu, Apr 25, 2013 at 8:08 PM, Matt <matt at somedamn.com> wrote:
> Maybe something like this (untested)?
>
> alert tcp any any -> any 4444 (msg:"TEST-a"; content:"bla-bla"; offset:0;
> depth:7; flowbits:isnotset,ignore; flowbits:set,ignore; sid:5002002; rev:1;)
>
> Matt
>
>
> On 4/25/2013 9:40 AM, Justin Cinkelj wrote:
>>
>> Hi
>>
>> I would like to write rule to match relative to start of tcp stream.
>> Something like
>> alert tcp any any -> any 4444 (msg: "TEST-a"; content:"bla-bla"; offset:0;
>> depth:7; sid:5002002; rev:1;)
>>
>> This triggers, but matches start of every packet, and I would like to
>> limit it to the first packet only.
>>
>> Justin
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
alert tcp any any -> any 4444 (msg: "TEST-a"; content:"bla-bla";
offset:0; depth:7; flow:established,only_stream; sid:5002002; rev:1;)
--
Anoop Saldanha
More information about the Oisf-users
mailing list