Snort mailing list archives

Re: A "Flowbits" issue

From: Jason Brvenik <jasonb () sourcefire com>
Date: Wed, 05 Dec 2007 20:17:02 -0500

None that I'm aware but if you will send me your config and rule I'll
happily have a look.

tung tran wrote:

Hi,
I got a "Segmentation fault" with Snort 2.8.0.1 when I tried to
declare a new alert type, configured the order and used it in a rule
as you suggested. Is it a bug in Snort 2.8.0.1?
Thanks,
Tung.

On Dec 2, 2007 7:02 PM, tung tran <tunghack () gmail com> wrote:

Great explanation !!!
Thanks,
Tung.


On Dec 2, 2007 3:37 PM, Jason Brvenik <jasonb () sourcefire com> wrote:

tung tran wrote:

Hi,
My question is:should we use "flowbits" to check a packet against
multiple rules or we only use "flowbits" to check next coming packets?

yes but...

The behavior is not guaranteed and it's effectiveness is dependent on
the order of the rules. You must have the flowbits:set before the isset.

Given this constraint, there is generally no reason to do this because
in order for them to match, the same packet must have both qualifying
contents.

Except...

When there are multiple paths to a single end state for the final rule.

EG:

content:"bob"; flowbits:set,seen.suspect.user;
content:"alice"; flowbits:set,seen.suspect.user;
content:"jane"; flowbits:set,seen.suspect.user;

flowbits:isset,seen.suspect.user;content:"ccdata";

In this case we are looking for suspect users that are accessing credit
card data. It will immediately flag the packet(s) provided that they are
ordered correctly in the rules file.

You could just as easily use a single PCRE to locate the users but there
would be a different performance profile involved.

If you want to ensure that the rules are always evaluated in the desired
order you can define new rule types.

ruletype alert2
{
 type alert
}

Then use rules as folows.

alert tcp 192.168.0.1 any -> any any (msg:"Seen bob"; content:"bob";
flowbits:set,seen.suspect.user; sid:1000000; rev:1;)

alert tcp 192.168.0.1 any -> any any (msg:"Seen alice"; content:"alice";
flowbits:set,seen.suspect.user; sid:1000001; rev:1;)

alert tcp 192.168.0.1 any -> any any (msg:"Seen jane"; content:"jane";
flowbits:set,seen.suspect.user; sid:1000002; rev:1;)

alert2 192.168.0.1 any -> any any (msg:"suspect user access of ccdata";
flowbits:isset,seen.suspect.user; content:"ccdata"; sid:1000003; rev:1;)

and then set order using either -o

or

config order: pass drop alert alert2 log

The cases where you might want to do something like this are extremely
rare but I've seen them in the past.



-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

A "Flowbits" issue tung tran (Dec 02)
- Re: A "Flowbits" issue Joel Esler (Dec 02)
  - Re: A "Flowbits" issue tung tran (Dec 02)
- Re: A "Flowbits" issue Jason Brvenik (Dec 02)
  - Re: A "Flowbits" issue tung tran (Dec 02)
    - Re: A "Flowbits" issue tung tran (Dec 05)
    - Re: A "Flowbits" issue Jason Brvenik (Dec 05)
    - Re: A "Flowbits" issue tung tran (Dec 05)