Alert on logical detection

[Laurent Juin <ljuin () gerpi fr>]

Hello,

  I would like to alert only when snort sees a HTTP paquet from a host
AND does NOT see an other HTTP packet from the same host within the
next 15 seconds.

  How do you write this logical match with snort rules ?

  I think about the following :

First solution :
  I can do it with the tag option to log all the packet from the
source host during the 15 seconds.

var MY_NET 192.168.1.0/24
var MY_CGI_SERVER 192.168.1.1
var MY_IMAGE_SERVER 192.168.1.2
var HTTP 80
alert tcp !$MY_NET any -> $MY_CGI_SERVER $HTPP   (content:"GET";
content:".cgi"; tag: host, 15, seconds, src; msg:"Get CGI")

 And I will do post analysis from the log to see if the source host
does or not request a GET to $MY_IMAGE_SERVER.

 But the growing traffic will overflow the logging and analysis process.

Second solution :  
log tcp !$MY_NET any -> $MY_CGI_SERVER $HTPP (content:"GET";
content:".cgi"; msg:"Get CGI"; log: host-get-cgi.file)
log tcp !$MY_NET any -> $MY_IMAGE_SERVER $HTPP (content:"GET";
content:".jpg"; msg:"Get JPEG"; log: host-get-image.file)

  And I will do 
    diff host-get-cgi.file host-get-image.file
  to get the host that did NOT requet the $MY_IMAGE_SERVER.

  But I cannot react with in 15 seconds.

Third solution :
   Can you write an other solution ?

Laurent


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users