Snort mailing list archives
Re: Flowbits Set and Not Checked Against SRC/DSTNetworks
From: beenph <beenph () gmail com>
Date: Tue, 28 Jun 2011 08:55:24 -0400
On Mon, Jun 27, 2011 at 10:51 PM, <Joshua.Kinard () us-cert gov> wrote:
It is my understanding that 'flow:stateless' on a TCP rule with 'flowbits' is non-sensical -- it should, in fact, throw a fatal error (but doesn't currently). Snort would need an established session present before it can apply 'flowbits', and since the SYN packet usually defines the start of a TCP session, you're basically asking the chicken which came first, it or the egg it hatched from.
Hi Joshua, Mabey others could comment on this but having flow:stateless is just a way of ensuring thart you are not trigerring on in stream data, thus perfectly valid in my understanding of the test case.
There is a formerly-undocumented option to 'flow' that might be worth trying: 'not_established'. It works well when you play back PCAP files that exclude the TCP handshake, due to how the packets were logged. But likely, if you are looking for the first SYN packet, 'flags:S,CE;' will probably be the best bet.
I am not sure but i think not_established is superseeded by functionality of stateless. But i agree that flages could be something like flags:S,+; flow:stateless; or flow:not_established; But it was given only as a mere example for the testcase since i was not sure about their ultimate needs. -elz. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Flowbits Set and Not Checked Against SRC/DST Networks Eoin Miller (Jun 24)
- Re: Flowbits Set and Not Checked Against SRC/DST Networks Joel Esler (Jun 27)
- Re: Flowbits Set and Not Checked Against SRC/DST Networks Martin Holste (Jun 27)
- Re: Flowbits Set and Not Checked Against SRC/DST Networks Joel Esler (Jun 27)
- Re: Flowbits Set and Not Checked Against SRC/DST Networks Russ Combs (Jun 27)
- Re: Flowbits Set and Not Checked Against SRC/DST Networks Martin Holste (Jun 27)
- Re: Flowbits Set and Not Checked Against SRC/DST Networks Martin Holste (Jun 27)
- Re: Flowbits Set and Not Checked Against SRC/DST Networks Joel Esler (Jun 27)
- Re: Flowbits Set and Not Checked Against SRC/DST Networks Martin Holste (Jun 27)
- Re: Flowbits Set and Not Checked Against SRC/DSTNetworks Joshua.Kinard (Jun 27)
- Re: Flowbits Set and Not Checked Against SRC/DSTNetworks beenph (Jun 28)