[Oisf-users] signature question

erik clark philosnef at gmail.com
Mon Jul 17 11:52:46 UTC 2017


Thanks everyone! Got this working exactly as expected.

On Fri, Jul 14, 2017 at 12:47 PM, Travis Green <travis at travisgreen.net>
wrote:

> Erik, you likely want:
>
> $HOME_NET -> $EXTERNAL_NET with flow:established,to_server;
>
> Would also recommend setting a flowbit on the inbound traffic and check
> isset on this outbound traffic. The ET netwire rat sigs are similar, might
> make a good template (2021290).
>
> HTH,
> -T
>
> On Fri, Jul 14, 2017 at 9:58 AM, erik clark <philosnef at gmail.com> wrote:
>
>> I have a flow and data question about a signature I am trying to write.
>>
>> I have a remote source initiating a connection to a local address, which
>> then responds to the remote source with a given hex string 4 bytes long,
>> offset 0.
>>
>> I am looking at this:
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/
>> wiki/Flow-keywords
>>
>> but don't quite follow if I should use flow:from_server with src internal
>> dest external, or established (which means it already was inspected as
>> having a remote handshake with a local response that I am trying to alert
>> off of?)
>>
>> Thanks!
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>
>
>
> --
> PGP: ABE625E6
> keybase.io/travisbgreen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170717/6248ac71/attachment-0002.html>


More information about the Oisf-users mailing list