Re: Use of flowbits in Snort to alert upon reception of second identical packet

["Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>]

Snort would examine duplicate copies of the same traffic as independent streams.  Flowbits cannot compare between 
streams in current versions of Snort.

 

From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Alex McDonnell <amcdonnell () sourcefire com>
Date: Tuesday, October 8, 2019 at 4:39 PM
To: stephane potier <stephane.potier () yahoo fr>
Cc: "snort-sigs () lists snort org" <snort-sigs () lists snort org>
Subject: Re: [Snort-sigs] Use of flowbits in Snort to alert upon reception of second identical packet

 

I don't know what setup you've got or what your rule is but if you set the rule to "drop" instead of "alert" it should 
kill the connection once it hits that count. 

 

Alex

 

On Tue, Oct 8, 2019 at 4:31 PM stephane potier <stephane.potier () yahoo fr> wrote:

Hi Alex,

 

Thanks, sounds interesting.

I set count to 1 to reach my objective.

I observe that the alarm is raised only after tcp connection is closed. Is that normal ?

I need this alarm to be raised before the tcp connection is closed.

 

Regards,

Stephane

 

Le mardi 8 octobre 2019 à 18:26:09 UTC+2, Alex McDonnell <amcdonnell () sourcefire com> a écrit : 

 

 

I think you could do this more easily by using detection_filter. This will allow you to specify after how many 
identical (according to the rule) packets to alert, and over how long a period of time. 
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node34.html#SECTION00477000000000000000 

 

Alex McDonnell

 

On Tue, Oct 8, 2019 at 11:49 AM stephane potier via Snort-sigs <snort-sigs () lists snort org> wrote:

Hi,

 

I am trying to write a snort rule that alert only if the same packet is received twice (ip, port and content are 
identical). 

Idea is to raise the alert only in case of reception of the second same packet. Several other frames can be received 
between those 2 same packets.

I do not find clear indications how using flowbits for this case. I have found a rule that seems to do similar job in 
/etc/snort/rules/web-client.rules (see below), but I am not very clear how it really works. 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad request"; 
flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; 
flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 
02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; 
sid:2659; rev:4;)

Any explanation of the previous rule and idea is welcome. Particularly how flowbits isnotset and set can be written in 
the same rule, and their position in the rule.

 

Thanks.

 

Herl

 

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Attachment: smime.p7s
Description:

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!