Hi Matt,<br>Would you be able to share a test pcap?<br>Change the IPs if needed.<br><br>Thank you<br><br><div class="gmail_quote">On Mon, Jan 7, 2013 at 1:29 AM, Matt Carothers <span dir="ltr"><<a href="mailto:matt@somedamn.com" target="_blank">matt@somedamn.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Adding the flow directions does work. Using the http rules does not. Here's what I have now:<br>
<br>
alert tcp $HOME_NET any -> any any (msg:"SOCKS5 Authentication Accept"; content:"|05 00|"; dsize:2; flowbits:set, socks5; flowbits:noalert; flow:from_server,established;)<br>
alert http any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET"; flowbits:isset, socks5; content:"GET"; nocase; http_method; classtype:trojan-activity; sid:7100001; rev:1;)<br>
alert http any any -> $HOME_NET any (msg:"SOCKS5 Tunneled POST"; flowbits:isset, socks5; content:"POST"; nocase; http_method; classtype:trojan-activity; sid:7100002; rev:1;)<br>
alert tcp any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET"; flowbits:isset, socks5; flow:from_client,established; content:"GET "; depth:4; classtype:trojan-activity; sid:7100003; rev:1;)<br>
<br>
Only the 710003 rule triggers.<span class="HOEnZb"><font color="#888888"><br>
<br>
Matt</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
On 1/6/2013 4:45 PM, rmkml wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
and Im curious if Suricata detect http rule like "alert http ... content:"GET"; nocase; http_method;..." work ?<br>
Regards<br>
Rmkml<br>
<br>
<br>
On Sun, 6 Jan 2013, rmkml wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Good, please check adding flow:from_server,established on first rule<br>
and flow:to_server,established on second rule please.<br>
Regards<br>
Rmkml<br>
<br>
<br>
On Sun, 6 Jan 2013, Matt wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks! That's exactly what I needed. I can't share a pcap from my customers' traffic, but here are the rules I just wrote:<br>
<br>
alert tcp $HOME_NET any -> any any (msg:"SOCKS5 Authentication Accept"; content:"|05 00|"; dsize:2; flowbits:set, socks5; flowbits:noalert;)<br>
alert tcp any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET"; flowbits:isset, socks5; content:"GET "; depth:4; classtype:trojan-activity; sid:7100001; rev:1;)<br>
<br>
0x0500 is the reply back from the SOCKS5 server indicating authentication succeeded. A subsequent HTTP GET in the other direction triggers the alert.<br>
<br>
Matt<br>
<br>
On 1/6/2013 3:17 PM, rmkml wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Matt,<br>
Yes it's possible with flowbits...<br>
Can you share a pcap please?<br>
Regards<br>
Rmkml<br>
<br>
<br>
On Sun, 6 Jan 2013, Matt wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Is it possible to write a rule that matches a sequence of packets in a flow? My specific use case is that I'd like to match HTTP requests sent across SOCKS5 proxy tunnels. I can easily write a rule to match a SOCKS5 handshake or an HTTP request, but I don't know if it's possible to match the request only when it follows the handshake in a given tcp session.<br>
<br>
- Matt<br>
</blockquote></blockquote></blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
______________________________<u></u>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@<u></u>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/<u></u>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.<u></u>openinfosecfoundation.org/<u></u>mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.<u></u>openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div>