Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flowbits option in Snort

From: rmkml <rmkml () yahoo fr>
Date: Mon, 8 Aug 2011 15:57:06 +0200 (CEST)
Hi Matthew,
It's better if you send a pcap example and your snort.conf/version.
If I rememeber correctly, flowbits:
-work only on same session/cnx/ports (second rule on port 1020 never match, suricata does)
-it's interesting for checking two (or more) payloads on order session (for example, if you check GET on session 
begining and another GET on same session further; snort not garanted flowbits order on same payload)
Comments/suggestions are welcome.
Regards
Rmkml


For me, flowbits not work correctly for checking



On Mon, 8 Aug 2011, Matthew Budge wrote:


Hello,

I'm having some trouble with the flowbits option in Snort.

The rules below all trigger alerts when the flowbits option isn't set. However, when flowbits is set (as shown below) only 
rules 1 & 2 generate alerts. I understand HTTP Get requests only send URL and headers to a server, and Post
requests can include a message body. However, how does the difference in the HTTP request methods affect how flowbits work in Snort? 
Although the state name, "zeus" is set in rule 1 (as rule 2 triggers an alert), rules 3 & 4 don't
recognise this preventing their alerts from being triggered.

#Rule 1
alert tcp #$HOME_NET 1027 -> $EXTERNAL_NET $HTTP_PORTS (content: "GET"; msg:"Rule 1"; flowbits:set,malware; 
sid:1000010;)
#Rule 2
alert tcp #$HOME_NET 1020:1040 -> $EXTERNAL_NET $HTTP_PORTS (content: "GET"; msg:"Rule 2"; flowbits:isset,malware; 
sid:1000000;)
#Rule 3
alert tcp #$HOME_NET 1029 -> $EXTERNAL_NET $HTTP_PORTS (content: "POST"; msg:"Rule 3 Port 1029"; 
flowbits:isset,malware; sid:1000011;)
#Rule 4
alert tcp #$HOME_NET 1030 -> $EXTERNAL_NET $HTTP_PORTS (content: "POST"; msg:"Rule 4: Port 1030"; 
flowbits:isset,malware; sid:1000012;)

Snort log:-
[**] [1:1000010:0] Rule 1 [**]
[Priority: 0]
08/04-17:23:18.108784 10.0.0.2:1027 -> 10.0.1.10:80
TCP TTL:128 TOS:0x0 ID:184 IpLen:20 DgmLen:322 DF
***AP*** Seq: 0x8424D791  Ack: 0x5BE86D33  Win: 0xFFFF  TcpLen: 20

[**] [1:1000000:0] Rule 2 [**]
[Priority: 0]
08/04-17:23:18.108784 10.0.0.2:1027 -> 10.0.1.10:80
TCP TTL:128 TOS:0x0 ID:184 IpLen:20 DgmLen:322 DF
***AP*** Seq: 0x8424D791  Ack: 0x5BE86D33  Win: 0xFFFF  TcpLen: 20

Thanks for any help.
------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Previous By Date Next
Previous By Thread Next

Current thread: