Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Flowbits option in Snort

From: Matthew Budge <mbudge1 () gmail com>
Date: Mon, 8 Aug 2011 13:10:41 +0100
Hello,

I'm having some trouble with the flowbits option in Snort.

The rules below all trigger alerts when the flowbits option isn't set.
However, when flowbits is set (as shown below) only rules 1 & 2 generate
alerts. I understand HTTP Get requests only send URL and headers to a
server, and Post requests can include a message body. However, how does the
difference in the HTTP request methods affect how flowbits work in Snort?
Although the state name, "zeus" is set in rule 1 (as rule 2 triggers an
alert), rules 3 & 4 don't recognise this preventing their alerts from being
triggered.

#Rule 1
alert tcp #$HOME_NET 1027 -> $EXTERNAL_NET $HTTP_PORTS (content: "GET";
msg:"Rule 1"; flowbits:set,malware; sid:1000010;)
#Rule 2
alert tcp #$HOME_NET 1020:1040 -> $EXTERNAL_NET $HTTP_PORTS (content: "GET";
msg:"Rule 2"; flowbits:isset,malware; sid:1000000;)
#Rule 3
alert tcp #$HOME_NET 1029 -> $EXTERNAL_NET $HTTP_PORTS (content: "POST";
msg:"Rule 3 Port 1029"; flowbits:isset,malware; sid:1000011;)
#Rule 4
alert tcp #$HOME_NET 1030 -> $EXTERNAL_NET $HTTP_PORTS (content: "POST";
msg:"Rule 4: Port 1030"; flowbits:isset,malware; sid:1000012;)


Snort log:-

[**] [1:1000010:0] Rule 1 [**]
[Priority: 0]
08/04-17:23:18.108784 10.0.0.2:1027 -> 10.0.1.10:80 <http://10.0.1.10/>
TCP TTL:128 TOS:0x0 ID:184 IpLen:20 DgmLen:322 DF
***AP*** Seq: 0x8424D791  Ack: 0x5BE86D33  Win: 0xFFFF  TcpLen: 20

[**] [1:1000000:0] Rule 2 [**]
[Priority: 0]
08/04-17:23:18.108784 10.0.0.2:1027 -> 10.0.1.10:80 <http://10.0.1.10/>
TCP TTL:128 TOS:0x0 ID:184 IpLen:20 DgmLen:322 DF
***AP*** Seq: 0x8424D791  Ack: 0x5BE86D33  Win: 0xFFFF  TcpLen: 20


Thanks for any help.

------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Previous By Date Next
Previous By Thread Next

Current thread: