Re: Flowbits Set and Not Checked Against SRC/DSTNetworks

[beenph <beenph () gmail com>]

On Mon, Jun 27, 2011 at 10:51 PM,  <Joshua.Kinard () us-cert gov> wrote:
> It is my understanding that 'flow:stateless' on a TCP rule with 'flowbits' is non-sensical -- it should, in fact, 
> throw a fatal error (but doesn't currently).  Snort would need an established session present before it can apply 
> 'flowbits', and since the SYN packet usually defines the start of a TCP session, you're basically asking the chicken 
> which came first, it or the egg it hatched from.

Hi Joshua,
Mabey others could comment on this but having flow:stateless is just a
way of ensuring thart you are not trigerring on in stream data, thus
perfectly valid in my understanding of the test case.

> There is a formerly-undocumented option to 'flow' that might be worth trying: 'not_established'.  It works well when 
> you play back PCAP files that exclude the TCP handshake, due to how the packets were logged.  But likely, if you are 
> looking for the first SYN packet, 'flags:S,CE;' will probably be the best bet.

I am not sure but i think not_established is superseeded by
functionality of stateless.

But i agree that flages could be something like flags:S,+;
flow:stateless; or flow:not_established;

But it was given only as a mere example for the testcase since i was
not sure about their ultimate needs.

-elz.

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel