Is it possible to create an alert based on multiple files?

Erlind · August 23, 2023, 7:10am

Is it possible to create an alert based on multiple files?
When I receive multiple files from a certain source with certain keywords in a given time, I do not want to receive an alert. But when I receive multiple files from a certain source with certain keywords in a given time and I recognize special keywords in another file 5 minutes later, then I should receive an alert.

Is it possible to write such a rule?

Best regards Erlind

sbhardwaj · August 23, 2023, 7:18am

Hi @Erlind ! Welcome to our forum.

I believe so.
I think you should be looking at a combination of:

Could you please look at these and try to make a rule matching your usecase? Let us know if you face any troubles.

Topic		Replies	Views
Missing Alert - http.request body (alone) and http.request_body/url_decode in a single rule Rules	2	798	January 4, 2021
Alert on specific filepath? Rules	1	795	December 23, 2020
Chaining of Alerts (rule dependency) Rules	1	794	September 25, 2020
Can Suricata rules have multiple messages? Rules	2	527	November 15, 2022
Transformation keyword can't trigger an alert Rules	3	758	December 8, 2020

Is it possible to create an alert based on multiple files?

Related Topics