Use only xbit: isset,XXXX; in rule.

[Hirbod Moriani]

Hi dear friends,

Can we use only Xbit isset rule? 

something like this: 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: " "; xbit: isset,XXX; after track by_src,count 3,seconds 10; refrence: "XXXX"; sid: XXXx; rev: XXX);

I want to find multi-step happenings. for example { if xbit XXX was happens for 3 time in 10 sec then xbit YYY happens for 2 time in 60 sec and so on)

I try above and its match to all logs than sagan process. 

any suggestion? Idea? Its possible? or I should used original rule for tracking? 

BR, 

Hirbod  

[Da Beave]

This can be done.  You have to make it work in stages. Think of it this way:

1.  If a content is seen,  set an xbit A.

2.  If content is seen again,  and the xbit A (isset), then set xbit B. 

3.  if content is seen again,  and xbit A and B are set (isset),  do something. 

I believe we do some of this type of stuff in the nxlog.rules.   It's using flexbits,  but the concepts are still the same.

You can do multiple set, isset, isnotset, unset within a rule.

Hope this helps.