Snort mailing list archives

Re: How to match the nth packet of a connection?

From: JJ Cummings <cummingsj () gmail com>
Date: Mon, 23 Jun 2008 14:34:51 -0400

please read README.flowbits ... as noted below in snort.foo/doc grepz

$ wget http://snort.org/dl/current/snort-2.8.2.1.tar.gz   
        --2008-06-23 14:27:58--  
http://snort.org/dl/current/snort-2.8.2.1.tar.gz

$ tar xvfz snort-2.8.2.1.tar.gz
    x snort-2.8.2.1/
$ cd snort-2.8.2.1/doc
$ grep flowbits *
README.flowbits:The flowbits detection plugin uses the flow preprocessor 
to track rule state
README.flowbits:The general configuration of the flowbits rule option is:
README.flowbits:    flowbits:<keyword>[,<STATE_NAME>];
README.flowbits:There are seven keywords associated with flowbits, most 
of the options need a
README.flowbits:Usage:  flowbits:set,FOO;
README.flowbits:Usage:  flowbits:unset,FOO;
README.flowbits:Usage:  flowbits:toggle,FOO;
README.flowbits:Usage:  flowbits:isset,FOO;
README.flowbits:Usage:  flowbits:isnotset,FOO;
README.flowbits:Usage:  flowbits:noalert;
README.flowbits:Usage:  flowbits:reset;
README.flowbits:alert tcp any 143 -> any any (msg:"IMAP login"; 
content:"OK LOGIN"; flowbits:set,logged_in;)
README.flowbits:alert tcp any any -> any 143 (msg:"IMAP lsub"; 
content:"LSUB"; flowbits:isset,logged_in;)
README.flowbits:alert tcp any any -> any 143 (msg:"IMAP LIST WITHOUT 
LOGIN"; content:"LIST"; flowbits:isnotset,logged_in;)
README.stream5:TCP and UDP.  With Stream5, the rule 'flow' and 
'flowbits' keywords
README.stream5:                              port.  Rules that have flow 
or flowbits will
README.stream5:ports includes either flow or flowbits, the 
ignore_any_rules option is
README.stream5:effectively pointless.  Because of the potential impact 
of disabling a flowbits
Binary file snort_manual.pdf matches
snort_manual.tex:\texttt{flowbits\_size} & \texttt{config 
flowbits\_size: 128} & Specifies the maximum number of flowbit tags that 
can be used within a rule set.\\
snort_manual.tex:TCP and UDP.  With Stream5, the rule 'flow' and 
'flowbits' keywords
snort_manual.tex:\texttt{ignore\_any\_rules} & Don't process any 
\texttt{->} any (ports) rules for UDP that attempt to match payload if 
there are no port specific rules for the src or destination port.  Rules 
that have flow or flowbits will never be ignored.  This is a performance 
improvement and may result in missed attacks.  Using this does not 
affect rules that look at protocol headers, only those with content, 
PCRE, or byte test options.  The default is "off".\\
snort_manual.tex:ports includes either flow or flowbits, the 
ignore\_any\_rules option is
snort_manual.tex:effectively pointless.  Because of the potential impact 
of disabling a flowbits
snort_manual.tex:of tagging (\ref{tag section}) and flowbits 
(\ref{flowbits}).
snort_manual.tex:\subsection{flowbits\label{flowbits}}
snort_manual.tex:The \texttt{flowbits} keyword is used in conjunction 
with conversation
snort_manual.tex:rules to track states across transport protocol 
sessions.  The flowbits option
snort_manual.tex:There are seven keywords associated with flowbits. Most 
of the options need a
snort_manual.tex:flowbits: 
[set|unset|toggle|isset|reset|noalert][,<STATE_NAME>];
snort_manual.tex:  content:"OK LOGIN"; flowbits:set,logged_in;
snort_manual.tex:  flowbits:noalert;)
snort_manual.tex:  flowbits:isset,logged_in;)
snort_manual.tex:\caption{Flowbits Usage Examples\label{flowbits usage 
examples}}
snort_manual.tex:\texttt{flowbits} & The flowbits keyword allows rules 
to track states across
snort_manual.tex:However, since the rule will fire on every packet 
involving 10.1.1.1, no packets will get tagged.  The \emph{flowbits} 
option would be useful here.
snort_manual.tex:alert tcp any any <> 10.1.1.1 any 
(flowbits:isnotset,tagged;
snort_manual.tex:    flowbits:set,tagged; tag:host,600,seconds,src;)
snort_manual.tex:a means to register and check flowbits.  It also 
includes a location
snort_manual.tex:The {\em FlowBitsInfo} structure defines a flowbits 
option.  It
snort_manual.tex:and register flowbits.
snort_manual.tex:\item {\em int processFlowbits(void *p, FlowBitsInfo 
*flowbits)}
snort_manual.tex:This function evaluates the flowbits for a given 
packet, as specified
snort_manual.tex:by FlowBitsInfo.  It will interact with flowbits used 
by text-based
snort_manual.tex:set up fast pattern-matcher content, register flowbits, 
etc.
snort_manual.tex:    0,                      /* Holder, no alert, used 
internally for flowbits */
snort_manual.tex:each Rule in the list and initializes the content, 
flowbits, pcre, etc.



Konstantinos Agouros wrote:

Hi,

is there a simple way to match a pattern in say the 3rd packet of a
connection. seq and ack can not be used since they are absolute, and I
didn't get it from the documentation of stream5. Any hints welcome.

Regards,

Konstantin


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

How to match the nth packet of a connection? Konstantinos Agouros (Jun 23)
- Re: How to match the nth packet of a connection? JJ Cummings (Jun 23)