<div dir="ltr"><div><div><div><div><div>Hi,<br><br></div>I am wondering has "timed flowbits" ever been considered as a rule option? i.e say I am a client machine. I access a exploit kit and my java is exploited, I then download a PDF; usually that happens within a few seconds only which is much faster than a usual user so if you had a rule which was like (completely fabricated rule language but just conveying the idea).<br>
<br></div><div># First set "flowtime" like flowbits to expire after so long but can be used to alert in that time if something is matched between the same source/destination in the time. In this you could combine other indicators too (like I have noticed most Java exploits in exploit kits are usually small to the point of being under 30K in size)<br>
</div>alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Java Archive Downloaded"; flow:established,to_client; content:"java/archive"; http_header; file_data; content:"PK"; within:2; flowtime:track,src_and_dst,time:4 seconds; flowbits:noalert; classtype:not-supisicous; sid:123991; rev:1;)<br>
<br>alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"PDF
Downloaded"; flow:established,to_client; filemagic:"PDF doc";
flowtime:exploit,track,src_and_dst,time:4 seconds; flowbits:noalert;
classtype:not-supisicous; sid:123992; rev:1;)<br><br></div><div># If an executable then is downloaded within the time period it will then generate an alert.<br></div><div>alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Executable Download Following Potential Java/PDF Exploit"; flowtimeset:exploit; flow:established,to_client; filemagic:"PE32";
classtype:bad-unknown; sid:123993; rev:1;)<br><br></div>Hopefully I am conveying this scenario well enough. Mostly likely this is probably the only scenerio where this would make sense but such a system could even help spot zero day attacks as you are focusing more on the unusual timings of the request in this case.<br>
<br></div>Just a thought I had looking at logs :)<br></div>Regards,<br>Kevin<br></div>