[Oisf-users] real time alert on tcp stream and flowint

Sat Feb 11 17:52:51 UTC 2012

On Sat, Feb 11, 2012 at 4:31 PM, Nikolay Denev <ndenev at gmail.com> wrote:

>
> On Feb 11, 2012, at 12:11 PM, Peter Manev wrote:
>
>
>
> On Fri, Feb 10, 2012 at 6:43 AM, Nikolay Denev <ndenev at gmail.com> wrote:
>
>>
>> On Feb 9, 2012, at 10:04 PM, Nikolay Denev wrote:
>>
>> > On Feb 9, 2012, at 10:03 PM, Nikolay Denev wrote:
>> >
>> >> Hi all,
>> >>
>> >> It's probably stupid question and I'm missing something but I don't
>> seem to be able
>> >> to generate alert immediately when for example a given string is found
>> inside a TCP stream.
>> >> When the TCP connection closes, suricata immediately prints the alert
>> in fast.log.
>> >> How can I make the alert be generated immediately when the rule
>> condition is matched?
>> >>
>> >> Also I don't know if its because of this I don't seem to be able to
>> trigger the rule to match several times on the same stream,
>> >> while I have the string that should fire the alert several times in
>> the stream.
>> >>
>> >> Here's an example :
>> >>
>> >> alert tcp $HOME_NET 6666 -> any any \
>> >>       (msg:"got one"; content:"something"; flowint:something,notset;
>> flowint:something,=,1; sid:10;)
>> >>
>> >> alert tcp $HOME_NET 6666 -> any any \
>> >>       (msg:"got five or more"; content:"something";
>> flowint:something,isset; flowint:something,+,1; flowint:something,>,5;
>> sid:11;)
>> >>
>> >> This never works, I just have the first rule fire once when the TCP
>> session is terminated.
>> >>
>> >>
>> >> P.S.: As a side note the wiki should be updated to include probably
>> "sid"s for the rules, as currently when I try to run the examples
>> >> suricata complains about duplicated rules.
>> >>
>> >> Thanks,
>> >>
>> >
>> > I'm running 1.2.1 RELEASE on FreeBSD-9.0-STABLE.
>>
>> This seems to work :
>>
>> alert tcp $HOME_NET 6666 -> any any \
>>         (msg:"got one"; content:"something"; flowint:something,notset;
>> flowint:something,=,1; noalert; sid:10; priority: 1;)
>>
>> alert tcp $HOME_NET 6666 -> any any \
>>         (msg:"got more"; content:"something"; flowint:something,isset;
>> flowint:something,+,1; noalert; sid:11; priority: 2;)
>>
>
>> alert tcp $HOME_NET 6666 -> any any \
>>         (msg:"got too many"; content:"something";
>> flowint:something,isset; flowint:something,>,2; sid:12; priority: 3;)
>>
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
>
> Hi Nikolay,
> I think this is the way it is supposed to work. (last example, by you).
>
> When you take out "noalert" form sid 11 - does it fire ?
>
> And are these the only rules that are loaded in terms of flowint or you
> have others before that?
>
> thanks
>
>
>
> --
> Peter Manev
>
>
>
> Yes, It fires, the problem I have is that it doesn't fire for each
> occurence of "content".
> Is alert supposed to fire once per packet if it matches, or for each match
> in the stream?
>
> For example now I'm using these rules to catch if there are more than some
> defined amount of email addresses in a given stream :
>
>
> alert tcp $HOME_NET 80 -> any any \
>         (msg:"got one email addr"; content:"|40|";
> pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \
>         flow:established,from_server; flowint:something,notset;
> flowint:something,=,1; sid:10; priority:3; noalert;)
>
> alert tcp $HOME_NET 80 -> any any \
>         (msg:"got more email addrs"; content:"|40|";
> pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \
>         flow:established,from_server; flowint:something,isset;
> flowint:something,+,1; sid:11; priority:2; noalert;)
>
> alert tcp $HOME_NET 80 -> any any \
>         (msg:"Got too many email addrs!"; content:"|40|";
> pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \
>         flow:established,from_server; flowint:something,isset;
> flowint:something,>,10; sid:12; priority:1; classtype:policy-violation;)
>
>
> This for example works, but would not match for a simple plain text file
> with 10 email adresses, I need to have maybe 40-50 or more for this to
> match.
> Maybe I'm missing something…
>
And yes, these are my only rules that I'm testing with. No other rules with
> or without flowint whatsoever.
>
>
Hi ,
Just so I understand you correctly - you have a text file (in the stream)
and in that text file you have 10 e-mail addresses and it wold not fire.
correct ?

thanks

-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120211/79473a0b/attachment-0002.html>