I am trying to implement Snort rule that will check if the specific field of the Query (transaction id,Modbus Protocol) will be the same in Response. If not then alarm.The question is if it is possible to implement and if yes how?
Asked
Active
Viewed 60 times
0
-
Network traffic is strings flow. And snort can inspect any strings by options that content, pcre. The problem is the structure of response traffic. Can you show me the sample? – Mr.kang Jan 17 '17 at 17:29
-
To be more clear i am talking about Modbus over TCP protocol. The first two bytes of the payload indicate transaction id. My idea is to check that Request and Response messages will have the same id. The problem is that in pcre I have to put some known IDs,while I don't know it as every Request-Response new Id is generated – AlexP Jan 17 '17 at 17:35
-
I think it is impossible. There is no way to pass the first detect result to the other rule. Good luck.:) – Mr.kang Jan 17 '17 at 17:55
-
Thanks I hoped there is something like "flowbits" that lets to set a single bits in variables,but with integers. But I guess no luck here :) – AlexP Jan 17 '17 at 18:07