[Oisf-users] signature question
erik clark
philosnef at gmail.com
Fri Jul 14 15:58:37 UTC 2017
I have a flow and data question about a signature I am trying to write.
I have a remote source initiating a connection to a local address, which
then responds to the remote source with a given hex string 4 bytes long,
offset 0.
I am looking at this:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords
but don't quite follow if I should use flow:from_server with src internal
dest external, or established (which means it already was inspected as
having a remote handshake with a local response that I am trying to alert
off of?)
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170714/d58b2c5c/attachment.html>
More information about the Oisf-users
mailing list