<div dir="ltr">Yes... We need this..<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Oct 1, 2013 at 10:11 AM, Shirkdog <span dir="ltr"><<a href="mailto:shirkdog@gmail.com" target="_blank">shirkdog@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">This goes back to the idea of global flowbits, which Mike Rash<br>
described in this blog post:<br>
<a href="http://www.cipherdyne.org/blog/2013/07/crossing-the-streams-in-ids-signature-languages.html" target="_blank">http://www.cipherdyne.org/blog/2013/07/crossing-the-streams-in-ids-signature-languages.html</a><br>
---<br>
Michael Shirk<br>
<div><div class="h5"><br>
<br>
On Tue, Oct 1, 2013 at 11:04 AM, Kevin Ross <<a href="mailto:kevross33@googlemail.com">kevross33@googlemail.com</a>> wrote:<br>
> Hi,<br>
><br>
> I am wondering has "timed flowbits" ever been considered as a rule option?<br>
> i.e say I am a client machine. I access a exploit kit and my java is<br>
> exploited, I then download a PDF; usually that happens within a few seconds<br>
> only which is much faster than a usual user so if you had a rule which was<br>
> like (completely fabricated rule language but just conveying the idea).<br>
><br>
> # First set "flowtime" like flowbits to expire after so long but can be used<br>
> to alert in that time if something is matched between the same<br>
> source/destination in the time. In this you could combine other indicators<br>
> too (like I have noticed most Java exploits in exploit kits are usually<br>
> small to the point of being under 30K in size)<br>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Java Archive<br>
> Downloaded"; flow:established,to_client; content:"java/archive";<br>
> http_header; file_data; content:"PK"; within:2;<br>
> flowtime:track,src_and_dst,time:4 seconds; flowbits:noalert;<br>
> classtype:not-supisicous; sid:123991; rev:1;)<br>
><br>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"PDF Downloaded";<br>
> flow:established,to_client; filemagic:"PDF doc";<br>
> flowtime:exploit,track,src_and_dst,time:4 seconds; flowbits:noalert;<br>
> classtype:not-supisicous; sid:123992; rev:1;)<br>
><br>
> # If an executable then is downloaded within the time period it will then<br>
> generate an alert.<br>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Executable Download<br>
> Following Potential Java/PDF Exploit"; flowtimeset:exploit;<br>
> flow:established,to_client; filemagic:"PE32"; classtype:bad-unknown;<br>
> sid:123993; rev:1;)<br>
><br>
> Hopefully I am conveying this scenario well enough. Mostly likely this is<br>
> probably the only scenerio where this would make sense but such a system<br>
> could even help spot zero day attacks as you are focusing more on the<br>
> unusual timings of the request in this case.<br>
><br>
> Just a thought I had looking at logs :)<br>
> Regards,<br>
> Kevin<br>
><br>
</div></div>> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div><br></div>