Help with requires-reverse-signature

Hi there,

I’m having a little trouble with the requires-reverse-signature condition.
Is this able to call its own <id> as the condition for the parameter
or does it have to be imbedded within a signature that references another
signature?

I’m looking for a keep-alive connection and want the alert to ONLY fire if
it sees the request and response.

What I have so far is:

signature foo {
#Author: Josh Guild
#source: Morphick
#version: 1
ip-proto == tcp
payload /byte string/
payload size == number
}

paired with:

signature bar {
#Author: Josh Guild
#source: Morphick
#version: 1
ip-proto == tcp
payload /byte string/
payload size == number
requires-reverse-signature foo
event “foobar”
}

I’m working with a pcap that I KNOW the condition exists and should fire
the alert. I am able to get the first portion to fire off but not the
conditional alert. I’ve also tried to mess with the tcp-state condition as
well to no avail.

Any advice you can throw my way would be much appreciated!

Josh