Hi there,
I’m having a little trouble with the requires-reverse-signature condition.
Is this able to call its own <id> as the condition for the parameter
or does it have to be imbedded within a signature that references another
signature?
I’m looking for a keep-alive connection and want the alert to ONLY fire if
it sees the request and response.
What I have so far is:
signature foo {
#Author: Josh Guild
#source: Morphick
#version: 1
ip-proto == tcp
payload /byte string/
payload size == number
}
paired with:
signature bar {
#Author: Josh Guild
#source: Morphick
#version: 1
ip-proto == tcp
payload /byte string/
payload size == number
requires-reverse-signature foo
event “foobar”
}
I’m working with a pcap that I KNOW the condition exists and should fire
the alert. I am able to get the first portion to fire off but not the
conditional alert. I’ve also tried to mess with the tcp-state condition as
well to no avail.
Any advice you can throw my way would be much appreciated!
Josh