Re: Use of flowbits in Snort to alert upon reception of second identical packet

["Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>]

Matter of fact, we deleted that rule in 2012.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com

On Oct 8, 2019, at 11:52 AM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote:

Hello Stephane,

The first thing I would suggest is that you are working with a current copy of the rule., that version of the rule is 
from, about, 2004.

Second, I am not sure Snort can do what you're asking.


--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com<http://www.talosintelligence.com/>

On Oct 7, 2019, at 2:41 AM, stephane potier via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists 
snort org>> wrote:

Hi,

I am trying to write a snort rule that alert only if the same packet is received twice (ip, port and content are 
identical).
Idea is to raise the alert only in case of reception of the second same packet. Several other frames can be received 
between those 2 same packets.
I do not find clear indications how using flowbits for this case. I have found a rule that seems to do similar job in 
/etc/snort/rules/web-client.rules (see below), but I am not very clear how it really works.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad request"; 
flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; 
flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 
02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; 
sid:2659; rev:4;)

Any explanation of the previous rule and idea is welcome. Particularly how flowbits isnotset and set can be written in 
the same rule, and their position in the rule.

Thanks.

Herl

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!