Chaining of Alerts (rule dependency)

Dear Suricata community,

is it possible to create a rule Y which will only match if rule X was previously triggered by a specific source?

Simple example:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"HIGH TTL"; flags:S,12; ttl:>199; sid:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOW TTL";  flags:S,12; ttl:<200; sid:2;)

How do I find sources, which send a HIGH TTL SYN (first rule) and then within 10 seconds a LOW TTL SYN (second rule)? Please note that such SYNs might originate from different source ports, i.e., are not part of the same flow which is identified by the 5-tuple.

Any pointers are appreciated. Thank you! :slight_smile:

Hi! Sounds like a job for xbits

xbits:set,high_ttl,track ip_src, expire 10s; in the first rule and check the xbit in the second rule.