<br><br><div class="gmail_quote">On Sun, Feb 12, 2012 at 8:15 AM, Nikolay Denev <span dir="ltr"><<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div><div class="h5"><br><div><div>On Feb 11, 2012, at 10:11 PM, Peter Manev wrote:</div><br><blockquote type="cite"><br><br><div class="gmail_quote">On Sat, Feb 11, 2012 at 8:27 PM, Nikolay Denev <span dir="ltr"><<a href="mailto:ndenev@gmail.com" target="_blank">ndenev@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div><div><br><div><div>On Feb 11, 2012, at 9:14 PM, Peter Manev wrote:</div><br><blockquote type="cite"><br><br><div class="gmail_quote">On Sat, Feb 11, 2012 at 7:42 PM, Nikolay Denev <span dir="ltr"><<a href="mailto:ndenev@gmail.com" target="_blank">ndenev@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div><div><br><div><div>On Feb 11, 2012, at 7:52 PM, Peter Manev wrote:</div><br><blockquote type="cite"><br><br><div class="gmail_quote">On Sat, Feb 11, 2012 at 4:31 PM, Nikolay Denev <span dir="ltr"><<a href="mailto:ndenev@gmail.com" target="_blank">ndenev@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div><div><br><div><div>On Feb 11, 2012, at 12:11 PM, Peter Manev wrote:</div><br><blockquote type="cite"><br><br><div class="gmail_quote">On Fri, Feb 10, 2012 at 6:43 AM, Nikolay Denev <span dir="ltr"><<a href="mailto:ndenev@gmail.com" target="_blank">ndenev@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><br>
On Feb 9, 2012, at 10:04 PM, Nikolay Denev wrote:<br>
<br>
> On Feb 9, 2012, at 10:03 PM, Nikolay Denev wrote:<br>
><br>
>> Hi all,<br>
>><br>
>> It's probably stupid question and I'm missing something but I don't seem to be able<br>
>> to generate alert immediately when for example a given string is found inside a TCP stream.<br>
>> When the TCP connection closes, suricata immediately prints the alert in fast.log.<br>
>> How can I make the alert be generated immediately when the rule condition is matched?<br>
>><br>
>> Also I don't know if its because of this I don't seem to be able to trigger the rule to match several times on the same stream,<br>
>> while I have the string that should fire the alert several times in the stream.<br>
>><br>
>> Here's an example :<br>
>><br>
>> alert tcp $HOME_NET 6666 -> any any \<br>
>> (msg:"got one"; content:"something"; flowint:something,notset; flowint:something,=,1; sid:10;)<br>
>><br>
>> alert tcp $HOME_NET 6666 -> any any \<br>
>> (msg:"got five or more"; content:"something"; flowint:something,isset; flowint:something,+,1; flowint:something,>,5; sid:11;)<br>
>><br>
>> This never works, I just have the first rule fire once when the TCP session is terminated.<br>
>><br>
>><br>
>> P.S.: As a side note the wiki should be updated to include probably "sid"s for the rules, as currently when I try to run the examples<br>
>> suricata complains about duplicated rules.<br>
>><br>
>> Thanks,<br>
>><br>
><br>
> I'm running 1.2.1 RELEASE on FreeBSD-9.0-STABLE.<br>
<br>
</div>This seems to work :<br>
<div><br>
alert tcp $HOME_NET 6666 -> any any \<br>
</div> (msg:"got one"; content:"something"; flowint:something,notset; flowint:something,=,1; noalert; sid:10; priority: 1;)<br>
<div><br>
alert tcp $HOME_NET 6666 -> any any \<br>
</div> (msg:"got more"; content:"something"; flowint:something,isset; flowint:something,+,1; noalert; sid:11; priority: 2;)
<br></blockquote><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><br>
alert tcp $HOME_NET 6666 -> any any \<br>
</div> (msg:"got too many"; content:"something"; flowint:something,isset; flowint:something,>,2; sid:12; priority: 3;)<br>
<div><div><br>
<br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br><br>Hi Nikolay,<br>I think this is the way it is supposed to work. (last example, by you).<br><br>When you take out "noalert" form sid 11 - does it fire ?<br><br>And are these the only rules that are loaded in terms of flowint or you have others before that?<br>
<br>thanks<br><br><br clear="all"><br>-- <br>Peter Manev<br>
</blockquote><br></div><div><br></div></div></div><div>Yes, It fires, the problem I have is that it doesn't fire for each occurence of "content". </div><div>Is alert supposed to fire once per packet if it matches, or for each match in the stream?</div>
<div><br></div><div>For example now I'm using these rules to catch if there are more than some defined amount of email addresses in a given stream :</div><div><br></div><div><br></div><div><div>alert tcp $HOME_NET 80 -> any any \</div>
<div> (msg:"got one email addr"; content:"|40|"; pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \</div><div> flow:established,from_server; flowint:something,notset; flowint:something,=,1; sid:10; priority:3; noalert;)</div>
<div><br></div><div>alert tcp $HOME_NET 80 -> any any \</div><div> (msg:"got more email addrs"; content:"|40|"; pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \</div><div> flow:established,from_server; flowint:something,isset; flowint:something,+,1; sid:11; priority:2; noalert;)</div>
<div><br></div><div>alert tcp $HOME_NET 80 -> any any \</div><div> (msg:"Got too many email addrs!"; content:"|40|"; pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \</div><div> flow:established,from_server; flowint:something,isset; flowint:something,>,10; sid:12; priority:1; classtype:policy-violation;)</div>
<div><br></div><div><br></div><div>This for example works, but would not match for a simple plain text file with 10 email adresses, I need to have maybe 40-50 or more for this to match.</div><div>Maybe I'm missing something
</div>
</div></div></blockquote><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word"><div><div>And yes, these are my only rules that I'm testing with. No other rules with or without flowint whatsoever.</div>
</div><br></div></blockquote></div><br>Hi ,<br><div>Just so I understand you correctly - you have a text file (in the
stream) and in that text file you have 10 e-mail addresses and it wold
not fire. correct ?<br>
<br>
</div><div>thanks<br></div><br clear="all"><br>-- <br>Peter Manev<br>
</blockquote></div><br></div></div><div>Exactly.</div><div><br></div><div>For example if I try to fetch the file emails.txt via http which has the following content :</div><div><br></div><div><div># cat emails.txt </div>
<div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div><div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div><div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div>
<div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div><div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div><div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div>
<div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div><div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div><div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div>
<div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div></div><div><br></div><div><div>$ curl <a href="http://testserver/emails.txt" target="_blank">http://testserver/emails.txt</a></div><div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div>
<div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div><div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div><div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div>
<div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div><div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div><div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div>
<div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div><div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div><div><a href="mailto:edin@email.com" target="_blank">edin@email.com</a> </div>
<div>$</div></div><div><br></div><div>And I also remove the "noalert" option from the rules, this is what I get in fast.log :</div><div><br></div><div><div>02/11/2012-20:37:23.988271 [**] [1:10:0] got one email addr [**] [Classification: (null)] [Priority: 3] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:57923</div>
<div>02/11/2012-20:37:23.988271 [**] [1:11:0] got more email addrs [**] [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:57923</div></div><div><br></div><div><br></div><div>If I change the third rule to fire if the flowint var is more than 1, it is being triggered.</div>
<div><br></div><div>If I insert some random data between the email addresses in the text file, then I get 4 maybe 5 matches. Doesn't it have to match all 10 of them?</div></div></blockquote></div><br>1. What happens if you take out the PCRE expressions from all the rules ?<br>
2. sid:12 - should not fire because you have >10 , and there are exactly 10 e-mails in the file<br>3. how big is the stream itself? i think it is below 2KB, correct?<br>4. is the PCRE matching the e-mails, under the unix shell ?<br>
5. yes i think you should get more sid:11 alerts - but first lets investigate the above 4.<br><br>thanks<br clear="all"><br>-- <br>Peter Manev<br>
</blockquote></div><br></div></div><div>The file with only the 10 emails is 160 bytes. Even without pcre I get the same result :</div><div><br></div><div><div><div>alert tcp $HOME_NET 80 -> any any \</div></div>
<div> (msg:"got one email addr"; content:"|40|"; \</div><div> flow:established,from_server; flowint:something,notset; flowint:something,=,1; sid:10; priority:3;)</div><div><div>
<br></div><div>alert tcp $HOME_NET 80 -> any any \</div></div><div> (msg:"got more email addrs"; content:"|40|"; \</div><div> flow:established,from_server; flowint:something,isset; flowint:something,+,1; sid:11; priority:2;)</div>
<div><div><br></div><div>alert tcp $HOME_NET 80 -> any any \</div></div><div> (msg:"Got too many email addrs!"; content:"|40|"; \</div><div> flow:established,from_server; flowint:something,isset; flowint:something,>,9; sid:12; priority:1; classtype:policy-violation;)</div>
<div><br></div></div><div><br></div><div>alerts I get :</div><div><br></div><div><div>02/11/2012-21:23:14.567194 [**] [1:10:0] got one email addr [**] [Classification: (null)] [Priority: 3] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:58158</div>
<div>02/11/2012-21:23:14.567194 [**] [1:11:0] got more email addrs [**] [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:58158</div></div><div><br></div><div>If I put some '#' symbols between the emails in the file so that it gets about 9K big and I fetch it I get these alerts :</div>
<div><br></div><div><div>02/11/2012-21:25:37.755214 [**] [1:10:0] got one email addr [**] [Classification: (null)] [Priority: 3] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:58166</div><div>02/11/2012-21:25:37.755214 [**] [1:11:0] got more email addrs [**] [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:58166</div>
<div>02/11/2012-21:25:37.761077 [**] [1:11:0] got more email addrs [**] [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:58166</div><div>02/11/2012-21:25:37.764451 [**] [1:11:0] got more email addrs [**] [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:58166</div>
</div><div><br></div></div></blockquote></div><br><br>Hi Nikolay,<br><br><br>Can you please post this as a bug - please be detailed (as you were in your 2 previous e-mails).<br>Personally i think here sid 11 is the problem , may be it does not count/increment correctly....<br>
thanks<br><br clear="all"><br>-- <br>Peter Manev<br>
</blockquote></div><br></div></div><div>Yes I will post this as a bug. But I've just found a much simpler case.</div><div><br></div><div>Let's for example have only this rule in suricata :</div><div><br></div><div>
alert tcp $HOME_NET 6666 -> any any (msg:"match"; content:"|40|";)</div><div><br></div><div>Then on a monitored machine from the $HOME_NET range I do :</div><div><br></div><div> echo "@ @ @ @ @ @ @ @ @" | nc -l 6666</div>
<div><br></div><div>And on different host I do :</div><div><br></div><div> nc testserver 6666</div><div><br></div><div>This gets the ten @ chars transferred, and I get only one alert.</div><div>But for example if I echo more @ chars, like 5000 or something, I get 3-6 alerts.</div>
<div>I have to check what is actually the number of packets with payload, probably the rule</div><div>is matched once per packet? But this could not explain that I get different number of alerts on different runs.</div><div>
<br></div><div><br></div></div></blockquote></div><br>Sure, that works too :) (as an example i mean).<br><br>Thanks<br clear="all"><br>-- <br>Peter Manev<br>