Snort rule- flowbits- how to save 2 rules in the same session?

I’m trying to build a single session with flowbits to save the packets from both rules in the same session.
I know for sure that both of the rules are good, and separately they provide 2 separate alerts.
What I want to do- is to combine the 2 separate alerts into 1 alert.
My rules are similar to the following example (please ignore the content, it is just for the example and not the problem):

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"example"; flow:to_server,established; content:"SMB"; depth:8;  content:"example1"; flowbits:set,example; sid:1234; rev:1; tag:session,100,packets,60,seconds;)
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"example"; flow:to_server,established; content:"SMB"; depth:8;  content:"example2"; flowbits:isset,example; sid:1235; rev:1; tag:session,100,packets,60,seconds;)

I want a single session to be created when both of the contents are seen. Is there a way to do that?

Would adding flowbits:noalert; to the first rule accomplish what you are looking for? That way you only get 1 alert after the second one matches.

Hi @bsmith thank for you comment!
But no, it won’t help, because then I will get only the packets from the second alert (that includes only “example 2”, and I want to get the packets from both (that includes “example 1” and “example 2” together)
Is that make any sense?

I think I know what you are trying to do and I’m not sure it it’s possible. If I remember correctly working with Snort, it had a log action that could be used instead of alert. Something like that might work or you could look into a custom Lua Output script to handle it.

What is the issue with having the first rule generating alerts? Would it generate too many alerts? If that’s the case you may be able to use thresholding or a detection_filter

@bsmith actually it generates the alerts perfectly, the issue is that I’m getting 2 separate sessions, and I want to get 1 session that includes 2 streams, built from these 2 rules.
I hope this explanation helps :slight_smile:
I will also check for the other things you mentioned of course

Do you mean event_type instead of sessions?
Or do you mean sessions as in network sessions?

Can you type an example input and output what you would like to see, to ensure we don’t misinterpret your request?

I mean sessions as in network sessions.
Unfortunately I can’t really type the real input and output, but for example:
I’m looking for a SMB session that contains both file named “filename1” and file named “filename2”.
I know for sure that both of the file exists in the same session, but in different packets in this session.
What I want to do, is to write some rule that will give me the full session contains both of the files.
When I’m using the snorts above, I get 2 separate sessions and not the full one.

I hope this explanation works somehow

I still think you mix up sessions with event_types. If it’s from the same flow you will have two file events with the same flow_id and you can correlate those.

One flow (network session) can result in several event_types but should all have the same flow_id which helps to see what happend within such a flow (session).

Oh… ok I understand! I was not familiar with this event_type.
So is it like a regular field in snort that I can use?
I mean - how can I apply your answer on my rule, and actually correlate between those file events and the flow id?
Or is it just a log thing?

I don’t know what you mean with regular field in snort. Those are suricata event logs.
How do you want to correlate it within a rule? What output to you want to achieve?