Re: A "Flowbits" issue

["tung tran" <tunghack () gmail com>]

Hi Joel,
> My question is, is there a reason you are trying to set two flowbits
> with that one rule?
Yes, while the first "flowbits" tells that someone has logged in the
system, the second "flowbits" denotes that a specific user has logged
in the system. Each "flowbits" might be useful in different
situations.

> Are you use "username:tung" appears just like that in a packet?  (i.e.
> no spaces, username and the login name in one string?)
Yes, I just assumed  it appears like that in a packet's payload

Thanks,
Tung.

On Dec 2, 2007 2:09 PM, Joel Esler <joel.esler () sourcefire com> wrote:
> My question is, is there a reason you are trying to set two flowbits
> with that one rule?
>
> Are you use "username:tung" appears just like that in a packet?  (i.e.
> no spaces, username and the login name in one string?)
>
>
>
> --
> Joel Esler
> joel.esler () sourcefire com
>
>
>
>
>
> On Dec 2, 2007, at 2:05 PM, tung tran wrote:
>
> > Hi,
> > My question is:should we use "flowbits" to check a packet against
> > multiple rules or we only use "flowbits" to check next coming packets?
> > If we consider this rule:
> > R0: alert tcp 192.168.0.1 any -> any any (content:"logged
> > in
> > ";flowbits:set
> > ,logged_in",content:"username:tung",flowbits:set,tung_loginned)
> > which marks the flow as: the specific user "tung" has logged in.
> > Can we split this rule into these 2 rules:
> > R1: alert tcp 192.168.0.1 any -> any any (content:"logged
> > in";flowbits:set,logged_in;flowbits:noalert)
> > R2: alert tcp 192.168.0.1 any -> any any
> > (content
> > :"username:tung";flowbits:isset,logged_in",flowbits:set,tung_loggined)
> > Do we normally write rules this way when we use "flowbits"? Is there
> > any situation where we should  split a rule when "flowbits" is used?
> > The problem I see when using "flowbits" to check a packet against
> > multiple rules is the rule triggering order might cause problem. In
> > the example above, if R1 is triggered before R2, these 2 rules do the
> > same thing as rule R0, however, if R2 is triggered before R1, these 2
> > rules do'nt function as we expect.
> > Any idea about this "flowbits" issuse?
> > Thank you very much,
> > Tung
> >
> > -------------------------------------------------------------------------
> > SF.Net email is sponsored by: The Future of Linux Business White Paper
> > from Novell.  From the desktop to the data center, Linux is going
> > mainstream.  Let it simplify your IT future.
> > http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users