[Oisf-users] signature question

erik clark philosnef at gmail.com
Fri Jul 14 15:58:37 UTC 2017


I have a flow and data question about a signature I am trying to write.

I have a remote source initiating a connection to a local address, which
then responds to the remote source with a given hex string 4 bytes long,
offset 0.

I am looking at this:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords

but don't quite follow if I should use flow:from_server with src internal
dest external, or established (which means it already was inspected as
having a remote handshake with a local response that I am trying to alert
off of?)

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170714/d58b2c5c/attachment.html>


More information about the Oisf-users mailing list