Is it possible to create an alert based on multiple files?

Erlind · August 23, 2023, 7:10am

Is it possible to create an alert based on multiple files?
When I receive multiple files from a certain source with certain keywords in a given time, I do not want to receive an alert. But when I receive multiple files from a certain source with certain keywords in a given time and I recognize special keywords in another file 5 minutes later, then I should receive an alert.

Is it possible to write such a rule?

Best regards Erlind

sbhardwaj · August 23, 2023, 7:18am

Hi @Erlind ! Welcome to our forum.

I believe so.
I think you should be looking at a combination of:

Could you please look at these and try to make a rule matching your usecase? Let us know if you face any troubles.

Topic		Replies	Views
Missing Alert - http.request body (alone) and http.request_body/url_decode in a single rule Rules	2	978	January 4, 2021
Chaining of Alerts (rule dependency) Rules	1	910	September 25, 2020
Is there a way to prevent Duplicate alerts from appearing in EVE logs within a period of time? Rules rules , suricata	1	286	July 31, 2023
Can Suricata rules have multiple messages? Rules	2	680	November 15, 2022
Transformation keyword can't trigger an alert Rules	3	812	December 8, 2020

Is it possible to create an alert based on multiple files?

Related topics