Re: Snort 2.9.3 Beta Now Available

[Joel Esler <jesler () sourcefire com>]

On May 18, 2012, at 2:58 PM, Joshua Kinard wrote:
> On 05/18/2012 9:55 AM, Snort Releases wrote:
>
> > Snort 2.9.3 Beta is now available on snort.org, at
> > http://www.snort.org/snort-downloads/ in the Latest Development
> > Release section.
>
> > [*] New additions
> >  * Updates to flowbit rule option to allow for OR and AND
> >    of individual bits within a single rule, and allow flowbits
> >    to be used in multiple groups.  See README.flowbits and
> >    the Snort manual for details.
>
>
> This will be interesting to play with.  I take it this was designed to
> combine multiple uses of the keyword when checking the state of several
> flowbits?

I'll post some excerpts from the doc, then I'll explain a bit about how we designed this:

set
---
This keyword sets bits to group for a particular flow. When no group specified, 
set the default group. This keyword always returns true.

Syntax:
    flowbits:set,bats[,group]
Usage:  
    flowbits:set,bit1,doc;
    flowbits:set,bit2&bit3,doc;
    First rule sets bit1 in doc group, second rule sets bit2 and bit3 in doc group. 
    So doc group has bit 1, bit2 and bit3 set  

setx
---
This keyword sets bits to group exclusively. This clears other bits in group. 
Group must present.This keyword always returns true.

Syntax:
    flowbits:setx,bats,group
Usage:  
    flowbits: setx, bit1, doc
    flowbits: setx, bit2&bit3, doc
    First rule sets bit1 in doc group, second rule sets bit2 and bit3 in doc group.
    So doc group has bit2 and bit3 set, because bit1 is cleared by rule 2.

unset
-----
This keyword clears bits specified for a particular flow or clears all bits in the 
group (Group must present). This keyword always returns true.

Syntax:
   flowbits:unset,bats
   flowbits:unset,all,group
   
Usage:  
   flowbits: unset, bit1  
   Clear bit1.
   
   flowbits: unset, bit1&bit2
   After this rule, both bit1 and bit2 are cleared.
   
   flowbits: unset, all, doc
   This clears all bits in the doc group.

<snip toggle>

isset
-----
This keyword checks a bit or several bits to see if it is set.  It returns true or
false based on the following syntax.

Syntax:  
   flowbits:isset, bits => Check whether any bit is set
   flowbits:isset, bats => Check whether all bits are set
   flowbits:isset, any, group => Check whether any bit in the group is set.
   flowbits:isset, all, group => Check whether all bits in the group are set. 
   
Usage
   flowbits:isset, bit1|bit2 => If either bit1 or bit2 is set, return true
   flowbits:isset, bit1&bit2 => If both bit1 and bit2 are set, return true, otherwise false
   flowbits:isset, any, doc => If any bit in group doc is set, return true
   flowbits:isset, all, doc => If all the bits in doc group are set, return true 

isnotset
--------
This keyword is the reverse of isset.  It returns true if isset is false, it returns
false if isset is true. Isnotset works on the final result, not on individual bits.

Syntax:  
   flowbits:isnoset, bits => Check whether not any bit is set
   flowbits:isnoset, bats => Check whether not all bits are set
   flowbits:isnoset, any, group => Check whether not bit in the group is set.
   flowbits:isnotset, all, group => Check whether not all bits in the group are set. 
   
Usage
   flowbits:isnotset, bit1|bit2 => If either bit1 or bit2 is set, return true
   flowbits:isnotset, bit1&bit2 => If both bit1 and bit2 are set, return true, otherwise false
   flowbits:isnotset, any, doc => If any bit in group doc is set, return true
   flowbits:isnotset, all, doc => If all the bits in doc group are set, return true 


So..

You can do things like:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Word doc download"; flowbits:isset,file.doc|file.ole;)

Or if you wanted to alert on all MSOFFICE documents:

Alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ppt"; content:".ppt"; flowbits:set,file.ppt,msoffice; 
flowbits:noalert;)
Alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"doc"; content:".doc"; flowbits:set,file.doc,msoffice; 
flowbits:noalert;)
Alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"xls"; content:".xls"; flowbits:set,file.xls,msoffice; 
flowbits:noalert;)
Alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"mdb"; content:".mdb"; flowbits:set,file.mdb,msoffice; 
flowbits:noalert;)

Then alert.

Alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Office document successful download!"; flowbits:isset,any,msoffice;)

Does that make sense?  There are a ton of uses for logical OR, AND, group, and "setx" (set exclusively).  We spent 
quite a while designing this feature, and it's sure to be awesome!

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!