<br><br>
<div class="gmail_quote">On Tue, Feb 14, 2012 at 10:21 AM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">
<div class="im">On 02/12/2012 08:15 AM, Nikolay Denev wrote:<br>><br>> On Feb 11, 2012, at 10:11 PM, Peter Manev wrote:<br>><br>>><br>>><br>>> On Sat, Feb 11, 2012 at 8:27 PM, Nikolay Denev <<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a><br>
</div>
<div class="im">>> <mailto:<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a>>> wrote:<br>>><br>>><br>>> On Feb 11, 2012, at 9:14 PM, Peter Manev wrote:<br>>><br>>>><br>
>>><br>>>> On Sat, Feb 11, 2012 at 7:42 PM, Nikolay Denev <<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a><br></div>
<div class="im">>>> <mailto:<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a>>> wrote:<br>>>><br>>>><br>>>> On Feb 11, 2012, at 7:52 PM, Peter Manev wrote:<br>
>>><br>>>>><br>>>>><br>>>>> On Sat, Feb 11, 2012 at 4:31 PM, Nikolay Denev<br></div>
<div class="im">>>>> <<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a> <mailto:<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a>>> wrote:<br>>>>><br>>>>><br>
>>>> On Feb 11, 2012, at 12:11 PM, Peter Manev wrote:<br>>>>><br>>>>>><br>>>>>><br>>>>>> On Fri, Feb 10, 2012 at 6:43 AM, Nikolay Denev<br>
</div>
<div>
<div class="h5">>>>>> <<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a> <mailto:<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a>>> wrote:<br>>>>>><br>>>>>><br>
>>>>> On Feb 9, 2012, at 10:04 PM, Nikolay Denev wrote:<br>>>>>><br>>>>>> > On Feb 9, 2012, at 10:03 PM, Nikolay Denev wrote:<br>>>>>> ><br>
>>>>> >> Hi all,<br>>>>>> >><br>>>>>> >> It's probably stupid question and I'm missing<br>>>>>> something but I don't seem to be able<br>
>>>>> >> to generate alert immediately when for example a<br>>>>>> given string is found inside a TCP stream.<br>>>>>> >> When the TCP connection closes, suricata<br>
>>>>> immediately prints the alert in fast.log.<br>>>>>> >> How can I make the alert be generated<br>>>>>> immediately when the rule condition is matched?<br>
>>>>> >><br>>>>>> >> Also I don't know if its because of this I don't<br>>>>>> seem to be able to trigger the rule to match<br>
>>>>> several times on the same stream,<br>>>>>> >> while I have the string that should fire the<br>>>>>> alert several times in the stream.<br>
>>>>> >><br>>>>>> >> Here's an example :<br>>>>>> >><br>>>>>> >> alert tcp $HOME_NET 6666 -> any any \<br>
>>>>> >> (msg:"got one"; content:"something";<br>>>>>> flowint:something,notset; flowint:something,=,1;<br>>>>>> sid:10;)<br>
>>>>> >><br>>>>>> >> alert tcp $HOME_NET 6666 -> any any \<br>>>>>> >> (msg:"got five or more";<br>
>>>>> content:"something"; flowint:something,isset;<br>>>>>> flowint:something,+,1; flowint:something,>,5; sid:11;)<br>>>>>> >><br>
>>>>> >> This never works, I just have the first rule<br>>>>>> fire once when the TCP session is terminated.<br>>>>>> >><br>
>>>>> >><br>>>>>> >> P.S.: As a side note the wiki should be updated<br>>>>>> to include probably "sid"s for the rules, as<br>
>>>>> currently when I try to run the examples<br>>>>>> >> suricata complains about duplicated rules.<br>>>>>> >><br>
>>>>> >> Thanks,<br>>>>>> >><br>>>>>> ><br>>>>>> > I'm running 1.2.1 RELEASE on FreeBSD-9.0-STABLE.<br>
>>>>><br>>>>>> This seems to work :<br>>>>>><br>>>>>> alert tcp $HOME_NET 6666 -> any any \<br>>>>>> (msg:"got one"; content:"something";<br>
>>>>> flowint:something,notset; flowint:something,=,1;<br>>>>>> noalert; sid:10; priority: 1;)<br>>>>>><br>>>>>> alert tcp $HOME_NET 6666 -> any any \<br>
>>>>> (msg:"got more"; content:"something";<br>>>>>> flowint:something,isset; flowint:something,+,1;<br>>>>>> noalert; sid:11; priority: 2;)<br>
>>>>><br>>>>>><br>>>>>> alert tcp $HOME_NET 6666 -> any any \<br>>>>>> (msg:"got too many"; content:"something";<br>
>>>>> flowint:something,isset; flowint:something,>,2;<br>>>>>> sid:12; priority: 3;)<br>>>>>><br>>>>>><br>>>>>> _______________________________________________<br>
>>>>> Oisf-users mailing list<br>>>>>> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br></div></div>>>>>> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a>><br>
<div>
<div class="h5">>>>>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>>>>><br>>>>>><br>>>>>><br>>>>>> Hi Nikolay,<br>>>>>> I think this is the way it is supposed to work. (last<br>>>>>> example, by you).<br>
>>>>><br>>>>>> When you take out "noalert" form sid 11 - does it fire ?<br>>>>>><br>>>>>> And are these the only rules that are loaded in terms<br>
>>>>> of flowint or you have others before that?<br>>>>>><br>>>>>> thanks<br>>>>>><br>>>>>><br>>>>>><br>>>>>> --<br>
>>>>> Peter Manev<br>>>>><br>>>>><br>>>>> Yes, It fires, the problem I have is that it doesn't<br>>>>> fire for each occurence of "content".<br>
>>>> Is alert supposed to fire once per packet if it matches,<br>>>>> or for each match in the stream?<br>>>>><br>>>>> For example now I'm using these rules to catch if there<br>
>>>> are more than some defined amount of email addresses in<br>>>>> a given stream :<br>>>>><br>>>>><br>>>>> alert tcp $HOME_NET 80 -> any any \<br>
>>>> (msg:"got one email addr"; content:"|40|";<br>>>>> pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \<br>>>>> flow:established,from_server;<br>
>>>> flowint:something,notset; flowint:something,=,1; sid:10;<br>>>>> priority:3; noalert;)<br>>>>><br>>>>> alert tcp $HOME_NET 80 -> any any \<br>
>>>> (msg:"got more email addrs"; content:"|40|";<br>>>>> pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \<br>>>>> flow:established,from_server;<br>
>>>> flowint:something,isset; flowint:something,+,1; sid:11;<br>>>>> priority:2; noalert;)<br>>>>><br>>>>> alert tcp $HOME_NET 80 -> any any \<br>
>>>> (msg:"Got too many email addrs!";<br>>>>> content:"|40|";<br>>>>> pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \<br>
>>>> flow:established,from_server;<br>>>>> flowint:something,isset; flowint:something,>,10; sid:12;<br>>>>> priority:1; classtype:policy-violation;)<br>
>>>><br>>>>><br>>>>> This for example works, but would not match for a simple<br>>>>> plain text file with 10 email adresses, I need to have<br>>>>> maybe 40-50 or more for this to match.<br>
>>>> Maybe I'm missing something…<br>>>>><br>>>>> And yes, these are my only rules that I'm testing with.<br>>>>> No other rules with or without flowint whatsoever.<br>
>>>><br>>>>><br>>>>> Hi ,<br>>>>> Just so I understand you correctly - you have a text file<br>>>>> (in the stream) and in that text file you have 10 e-mail<br>
>>>> addresses and it wold not fire. correct ?<br>>>>><br>>>>><br>>>>> thanks<br>>>>><br>>>>><br>>>>> --<br>>>>> Peter Manev<br>
>>><br>>>> Exactly.<br>>>><br>>>> For example if I try to fetch the file emails.txt via http<br>>>> which has the following content :<br>>>><br>
>>> # cat emails.txt<br></div></div>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>><br>>>> $ curl <a href="http://testserver/emails.txt" target="_blank">http://testserver/emails.txt</a><br>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
<div>
<div class="h5">>>> $<br>>>><br>>>> And I also remove the "noalert" option from the rules, this<br>>>> is what I get in fast.log :<br>>>><br>
>>> 02/11/2012-20:37:23.988271 [**] [1:10:0] got one email addr<br>>>> [**] [Classification: (null)] [Priority: 3] {TCP} X.X.X.X:80<br>>>> -> Y.Y.Y.Y:57923<br>>>> 02/11/2012-20:37:23.988271 [**] [1:11:0] got more email<br>
>>> addrs [**] [Classification: (null)] [Priority: 2] {TCP}<br>>>> X.X.X.X:80 -> Y.Y.Y.Y:57923<br>>>><br>>>><br>>>> If I change the third rule to fire if the flowint var is more<br>
>>> than 1, it is being triggered.<br>>>><br>>>> If I insert some random data between the email addresses in<br>>>> the text file, then I get 4 maybe 5 matches. Doesn't it have<br>
>>> to match all 10 of them?<br>>>><br>>>><br>>>> 1. What happens if you take out the PCRE expressions from all<br>>>> the rules ?<br>>>> 2. sid:12 - should not fire because you have >10 , and there are<br>
>>> exactly 10 e-mails in the file<br>>>> 3. how big is the stream itself? i think it is below 2KB, correct?<br>>>> 4. is the PCRE matching the e-mails, under the unix shell ?<br>>>> 5. yes i think you should get more sid:11 alerts - but first lets<br>
>>> investigate the above 4.<br>>>><br>>>> thanks<br>>>><br>>>> --<br>>>> Peter Manev<br>>><br>>> The file with only the 10 emails is 160 bytes. Even without pcre I<br>
>> get the same result :<br>>><br>>> alert tcp $HOME_NET 80 -> any any \<br>>> (msg:"got one email addr"; content:"|40|"; \<br>>> flow:established,from_server; flowint:something,notset;<br>
>> flowint:something,=,1; sid:10; priority:3;)<br>>><br>>> alert tcp $HOME_NET 80 -> any any \<br>>> (msg:"got more email addrs"; content:"|40|"; \<br>>> flow:established,from_server; flowint:something,isset;<br>
>> flowint:something,+,1; sid:11; priority:2;)<br>>><br>>> alert tcp $HOME_NET 80 -> any any \<br>>> (msg:"Got too many email addrs!"; content:"|40|"; \<br>
>> flow:established,from_server; flowint:something,isset;<br>>> flowint:something,>,9; sid:12; priority:1;<br>>> classtype:policy-violation;)<br>>><br>>><br>>> alerts I get :<br>
>><br>>> 02/11/2012-21:23:14.567194 [**] [1:10:0] got one email addr [**]<br>>> [Classification: (null)] [Priority: 3] {TCP} X.X.X.X:80 -><br>>> Y.Y.Y.Y:58158<br>>> 02/11/2012-21:23:14.567194 [**] [1:11:0] got more email addrs<br>
>> [**] [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -><br>>> Y.Y.Y.Y:58158<br>>><br>>> If I put some '#' symbols between the emails in the file so that<br>>> it gets about 9K big and I fetch it I get these alerts :<br>
>><br>>> 02/11/2012-21:25:37.755214 [**] [1:10:0] got one email addr [**]<br>>> [Classification: (null)] [Priority: 3] {TCP} X.X.X.X:80 -><br>>> Y.Y.Y.Y:58166<br>>> 02/11/2012-21:25:37.755214 [**] [1:11:0] got more email addrs<br>
>> [**] [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -><br>>> Y.Y.Y.Y:58166<br>>> 02/11/2012-21:25:37.761077 [**] [1:11:0] got more email addrs<br>>> [**] [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -><br>
>> Y.Y.Y.Y:58166<br>>> 02/11/2012-21:25:37.764451 [**] [1:11:0] got more email addrs<br>>> [**] [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -><br>>> Y.Y.Y.Y:58166<br>
>><br>>><br>>><br>>> Hi Nikolay,<br>>><br>>><br>>> Can you please post this as a bug - please be detailed (as you were in<br>>> your 2 previous e-mails).<br>>> Personally i think here sid 11 is the problem , may be it does not<br>
>> count/increment correctly....<br>>> thanks<br>>><br>>><br>>> --<br>>> Peter Manev<br>><br>> Yes I will post this as a bug. But I've just found a much simpler case.<br>><br>
> Let's for example have only this rule in suricata :<br>><br>> alert tcp $HOME_NET 6666 -> any any (msg:"match"; content:"|40|";)<br>><br>> Then on a monitored machine from the $HOME_NET range I do :<br>
><br>> echo "@ @ @ @ @ @ @ @ @" | nc -l 6666<br>><br>> And on different host I do :<br>><br>> nc testserver 6666<br>><br>> This gets the ten @ chars transferred, and I get only one alert.<br>
> But for example if I echo more @ chars, like 5000 or something, I get<br>> 3-6 alerts.<br>> I have to check what is actually the number of packets with payload,<br>> probably the rule<br>> is matched once per packet? But this could not explain that I get<br>
> different number of alerts on different runs.<br><br></div></div>The behavior is by design. TCP data by default is inspected in the<br>stream context, which means the "@ @ @ @ @ @ @ @ @" buffer is inspected<br>
at once. </blockquote>
<div> </div>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">Suricata will not try to find every possible match in a<br>payload, but just one.<br></blockquote>
<div>That's good to know - clears out a few questions of mine....</div>
<div>but then a PCRE (matching on 10 "@") should match all of them - correct? having in mind they are in the same "chunk".</div>
<div> </div>
<div> </div>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"><br>The reason you get more alerts if you increase the payload<br>significantly, is that the stream is inspected in chunks. The size of<br>
those chunks is determined by your stream toserver_chunk_size setting.<br><span class="HOEnZb"><font color="#888888"><br>--<br>---------------------------------------------<br>Victor Julien<br><a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>---------------------------------------------<br></font></span>
<div class="HOEnZb">
<div class="h5"><br>_______________________________________________<br>Oisf-users mailing list<br><a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br><a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Peter Manev<br>