Snort mailing list archives

Re: Specific rule for bandwidth

From: "Davis McPherson (davmcphe)" <davmcphe () cisco com>
Date: Tue, 15 Sep 2015 14:46:37 +0000


The stream size option is evaluated on packets when a rule is evaluated.  The current stream size is computed by 
subtracting the current 'next seq' from the ISN (or vice-versa to handle wrapping).  The value is computed for the 
server and client directions and then comparison is done for the directions specified by the rule against the threshold 
value in the rule using the comparison operator defined by the rule.   There is no reset if the rule is triggered, so 
the stream size is a count of the number of bytes observed on the stream.

-davis mcpherson


-------- Forwarded Message --------
Subject:        [Snort-users] Specific rule for bandwidth
Date:   Tue, 15 Sep 2015 07:24:11 +0000
From:   Gabriel Corre <gabriel.corre () fr clara net><mailto:gabriel.corre () fr clara net>
To:     snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> <snort-users () lists 
sourceforge net><mailto:snort-users () lists sourceforge net>


Hello,

I would like to use “stream_size” as a bandwidth controller. Thus I created this rule to test its functionality:
alert tcp EXTERNAL_NET any -> HOME_NET any (msg:"WARNING! Session bandwidth > 8 bytes"; stream_size:both,>,8"; 
sid:1000000001;)
I would like to know if “stream_size” is reset when the alert is triggered or it still count the number of bytes 
observed?

The doc says : “The stream size keyword allows a rule to match traffic according to the number of bytes observed, as 
determined by
the TCP sequence numbers.” It doesn’t pinpoint this aspect and I’m not about my bandwidth test.

Regards,

--

Gabriel Corré
Élève Ingénieur Sécurité & Réseaux, Ops - Core Infrastructure




------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Specific rule for bandwidth Gabriel Corre (Sep 15)
- Message not available
  - Re: Specific rule for bandwidth Davis McPherson (davmcphe) (Sep 15)
    - Re: Specific rule for bandwidth Gabriel Corre (Sep 15)
    - Re: Specific rule for bandwidth Gabriel Corre (Sep 15)
    - Re: Specific rule for bandwidth Gabriel Corre (Sep 16)