Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Use of flowbits in Snort to alert upon reception of second identical packet

From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Tue, 8 Oct 2019 12:25:17 -0400
I think you could do this more easily by using detection_filter. This will
allow you to specify after how many identical (according to the rule)
packets to alert, and over how long a period of time.
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node34.html#SECTION00477000000000000000

Alex McDonnell

On Tue, Oct 8, 2019 at 11:49 AM stephane potier via Snort-sigs <
snort-sigs () lists snort org> wrote:


Hi,

I am trying to write a snort rule that alert only if the same packet is
received twice (ip, port and content are identical).
Idea is to raise the alert only in case of reception of the second same
packet. Several other frames can be received between those 2 same packets.
I do not find clear indications how using flowbits for this case. I have
found a rule that seems to do similar job in
/etc/snort/rules/web-client.rules (see below), but I am not very clear how
it really works.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2
Client_Hello with pad request"; flow:to_server,established;
flowbits:isnotset,sslv2.client_hello.request;
flowbits:isnotset,sslv3.client_hello.request;
flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0;
content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6;
flowbits:set,sslv2.client_hello.request; flowbits:noalert;
classtype:protocol-command-decode; sid:2659; rev:4;)
Any explanation of the previous rule and idea is welcome. Particularly how
flowbits isnotset and set can be written in the same rule, and their
position in the rule.

Thanks.

Herl

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: