Re: Problems on Flowbits Option

[Luo Xin <kingsleyluoxin () hotmail com>]

Thank you for taking time to reply!
In fact, I think I have set the states S1, S2 and S3. Are those wrong use of flowbits? I have actually been desired to 
track the states of protocol and detect some anomaly behaviors.  

在 2017/4/12 下午7:16，“Joel Esler (jesler)”<jesler () cisco com> 写入:

    I don't see anywhere where you are "set" ting a flowbit.   So you aren't tracking anything.   That's why you are 
getting the result you want.  
    
    --
    Sent from my iPhone
    
    > On Apr 11, 2017, at 23:35, Luo Xin <kingsleyluoxin () hotmail com> wrote:
    > 
    > alert tcp any any -> $HOME_NET any (msg: "State 1"; GID: 1; sid: 10000001; flags: S; flowbits: isnotset, S1; 
flowbits: set, S1;)
    > alert tcp $HOME_NET any -> any any (msg: "State 2"; GID: 1; sid: 10000002; flags: SA; flowbits: isset, S1; 
flowbits: set, S2;)
    > alert tcp any any -> $HOME_NET any (msg: "State 3"; GID: 1; sid: 10000003; flags: A; flowbits: isset, S2; 
flowbits: set, S3;)
    > 
    > My rules are something like this, and I hope to use this to detect syn flooding attacks. So how is it possible to 
describe the situation that is not accepted by the state machine?
    > 
    > 在 2017/4/12 上午10:25，“Al Lewis (allewi)”<allewi () cisco com> 写入:
    > 
    >    It will help if you provided an example. 
    > 
    >    “My rules don’t work” isnt much to go on :-)
    > 
    > 
    >    Albert Lewis
    >    ENGINEER.SOFTWARE ENGINEERING
    >    SOURCEfire, Inc. now part of Cisco
    >    Email: allewi () cisco com 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    >>    On 4/11/17, 9:58 PM, "Luo Xin" <kingsleyluoxin () hotmail com> wrote:
    >> 
    >> 
    >> 
    >> I am trying to build a state machine for TCP or other protocols. But I don’t know why my rules donn’t work. ☹
    >> 
    >> 发件人: "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>>
    >> 日期: 2017年4月10日 星期一 下午11:55
    >> 至: Luo Xin <kingsleyluoxin () hotmail com<mailto:kingsleyluoxin () hotmail com>>
    >> 抄送: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists 
sourceforge net<mailto:snort-users () lists sourceforge net>>
    >> 主题: Re: [Snort-users] Problems on Flowbits Option
    >> 
    >> Many people have done what you are trying to do.  What are you trying to do??
    >> 
    >> 
    >> --
    >> Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>
    >> 
    >> 
    >> 
    >> 
    >> 
    >> On Apr 10, 2017, at 3:55 AM, Luo Xin <kingsleyluoxin () hotmail com<mailto:kingsleyluoxin () hotmail com>> wrote:
    >> 
    >> Hello, everyone!
    >> 
    >> 
    >> I have been confused about the flowbits option. According to the snort manual, it is possible to use this option 
to implement a simple state machine. I have been trying to do that, but my tries prove to be failure. I have been 
wondering if I have wrong understanding about this flowbits option.
    >> 
    >> 
    >> Is there anybody that has ever used flowbits option to implement a protocol state machine? If any, would you 
please be so kind as to help me solve my puzzles?
    >> 
    >> 
    >> Any help shall be appreciated .
    >> ------------------------------------------------------------------------------
    >> Check out the vibrant tech community on one of the world's most
    >> engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot
    >> _______________________________________________
    >> Snort-users mailing list
    >> Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
    >> Go to this URL to change user options or unsubscribe:
    >> https://lists.sourceforge.net/lists/listinfo/snort-users
    >> Snort-users list archive:
    >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
    >> 
    >> Please visit http://blog.snort.org to stay current on all the latest Snort news!
    >> 
    >> ------------------------------------------------------------------------------
    >> Check out the vibrant tech community on one of the world's most
    >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
    >> _______________________________________________
    >> Snort-users mailing list
    >> Snort-users () lists sourceforge net
    >> Go to this URL to change user options or unsubscribe:
    >> https://lists.sourceforge.net/lists/listinfo/snort-users
    >> Snort-users list archive:
    >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
    >> 
    >> Please visit http://blog.snort.org to stay current on all the latest Snort news!
    > 
    > 
    > ------------------------------------------------------------------------------
    > Check out the vibrant tech community on one of the world's most
    > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
    > _______________________________________________
    > Snort-users mailing list
    > Snort-users () lists sourceforge net
    > Go to this URL to change user options or unsubscribe:
    > https://lists.sourceforge.net/lists/listinfo/snort-users
    > Snort-users list archive:
    > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
    > 
    > Please visit http://blog.snort.org to stay current on all the latest Snort news!
    

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!