[Oisf-users] signature question

Travis Green travis at travisgreen.net
Fri Jul 14 16:47:56 UTC 2017


Erik, you likely want:

$HOME_NET -> $EXTERNAL_NET with flow:established,to_server;

Would also recommend setting a flowbit on the inbound traffic and check
isset on this outbound traffic. The ET netwire rat sigs are similar, might
make a good template (2021290).

HTH,
-T

On Fri, Jul 14, 2017 at 9:58 AM, erik clark <philosnef at gmail.com> wrote:

> I have a flow and data question about a signature I am trying to write.
>
> I have a remote source initiating a connection to a local address, which
> then responds to the remote source with a given hex string 4 bytes long,
> offset 0.
>
> I am looking at this:
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-
> keywords
>
> but don't quite follow if I should use flow:from_server with src internal
> dest external, or established (which means it already was inspected as
> having a remote handshake with a local response that I am trying to alert
> off of?)
>
> Thanks!
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>



-- 
PGP: ABE625E6
keybase.io/travisbgreen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170714/dad68079/attachment-0002.html>


More information about the Oisf-users mailing list