I want to write SNORT rules which can only be triggered (second rule) after a certain rule (first rule) was triggered previously. Additionally, the second rule should then start sniffing for completely or partially equal content to the content of the first rule, but sent by a different host. This could help to detect replay attacks or man in the middle attacks.
I imagine something like:
trigger udp $EXTERNAL_NET any -> $HOME_NET 1234 (msg""; TRIGGER RULE 2; content:"|12 34|"; sid:1; rev:1)
react udp $!IP_FROM_FIRST_RULE any -> $HOME_NET 1234(msg""; content:"|12 34|"; sid:2; rev:1)
- Is there some way to do this directly with correct SNORT rule syntax?
- Is there some other approach to detect replay attacks with SNORT?
- Does SNORT support any Stateful packet inspection, taking more than 1 packet into the detection mechanism?
Edit
I read a little bit more through the SNORT manual, where I found the possibility of using flowbits with the Session preprocessors. Unfortunately, it is still not possible to pass the source IP address , which triggered the first rule as information to the second rule.
My only solution for now is to write 2 dynamic rules (SO rules), which translate the source IP addresses into binary and write them into 36 flowbits (XXX.XXX.XXX.XXX), which are compared if they are identical. If yes, the flowbits are reset, otherwise throw an alert.
I am open to other ideas :)