[Oisf-devel] New Features: Flowint

Rich Rumble richrumble at gmail.com
Mon Sep 13 21:36:16 UTC 2010 

On Mon, Jan 11, 2010 at 1:44 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
...
> Flowint allows storage and mathematical operations using variables. It
> operates much like flowbits but with the addition of mathematical
> capabilities and the fact that an integer can be stored and manipulated,
> not just a flag set. We can use this for a number of very useful things,
> such as counting occurrences, adding or subtracting occurrences, or
> doing thresholding within a stream in relation to multiple factors. This
> will be expanded to a global context very soon so we can do these
> operations between streams. More on that when it's in there!
...
> The syntax is as follows:
> flowint: <var>, <set|isset|unset>;
> Define a var (not required), or check that one is set or not set.
> flowint: <var>, <operator>, <var or integer>;
> flowint: <var>, < +,-,=,>,<,>=,<=,==, != >, <var or integer>;

I'm sorry I haven't payed enough attention to the list or been to the
brainstorming meetings, but is there an "if/then" type of function, a little
different than flowint, for example:

alert tcp any any -> any any (msg:"Suspicious file execution"; content:
"gsecdump"; trigger:9999990;)

trigger:9999990 = alert alert tcp $host_1 any -> $host_2 any (msg:"Suspicious
activity, dump next 200 packets for both hosts";)

I have no idea how to write it "Snort like", but let's say I find an
exe executing,
can I have a new rule be "activated" so that it dumps the next X packets
from either of the hosts that triggered the alert, or even just one of
them if the
"trigger rule" specifies the src/dst or whatever.Can flowint use the detected
hosts and pass them on as variables?
Host_1 ---> runs gsecdump against host_2 which set off an alert.The IDS
then passes the hosts IP's to the flowint rule which looks for content:
Username, or content=* up to 200 packets each host?

Does that exist, half exist, it's on the roadmap, will never happen in
this life
time bub? (please circle one:)

I hope I've explained it well enough, to me it sounds like an over simplified
if/then rule that passes the src and dst onto the next rule... So
rules that might
have a high FP/FN rate, could be mitigated because those high false positive/
negitive rules only run against a select host or two. I'm sure there would have
to be checks and balances so you don't get your IDS to fall over, especially if
the "if" portion of the rule was hitting hundreds of times a second.
Just an idea.
-rich

More information about the Oisf-devel mailing list