<div dir="ltr"><div>Hi All, </div><div><br></div><div>I used the following scripts for detecting one way flow. </div><div><br></div><div><span style="font-size:12.8px">function init (args)</span><br style="font-size:12.8px"><span style="font-size:12.8px"> local needs = {}</span><br style="font-size:12.8px"><span style="font-size:12.8px"> needs["packet"] = tostring(true)</span><br style="font-size:12.8px"><span style="font-size:12.8px"> return needs</span><br style="font-size:12.8px"><span style="font-size:12.8px">end</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">function match(args)</span></div><div> ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()<br style="font-size:12.8px"><span style="font-size:12.8px"> ts_pkts, ts_bytes, tc_pkts, to_bytes = SCFlowStats()</span></div><div> tmpstr = string.format("Version: %s; srcip%s:%s -> dstip %s:%s; ts: %s and tc: %s", ipver, srcip, sp, dstip, dp, ts_pkts, tc_pkts)</div><div> print (tmpstr)<br><span style="font-size:12.8px"> if ts_pkts == nil then</span><br style="font-size:12.8px"><span style="font-size:12.8px"> return 0</span><br style="font-size:12.8px"><span style="font-size:12.8px"> end</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px"> if ts_pkts > 10 and tc_pkts == 0 then</span><br style="font-size:12.8px"><span style="font-size:12.8px"> return 1</span><br style="font-size:12.8px"><span style="font-size:12.8px"> elseif tc_pkts > 10 and ts_pkts == 0 then</span><br style="font-size:12.8px"><span style="font-size:12.8px"> return 1</span><br style="font-size:12.8px"><span style="font-size:12.8px"> end</span><br style="font-size:12.8px"><span style="font-size:12.8px"> return 0</span><br style="font-size:12.8px"><span style="font-size:12.8px">end</span><br></div><div><div><br></div><div><br></div><div>I ran the script for one minute, when I checked my results, I got confused. I expected the SCFlowStats() will return the flow information based on the 5-tuple information. So the script can classify the following packets as one flow. </div><div><br></div><div><font color="#ff0000">Version: 4; srcip <a href="http://210.7.45.14:443">210.7.45.14:443</a> -> dstip <a href="http://130.216.182.154:51218">130.216.182.154:51218</a>; ts: 1 and tc: 0</font></div><div><font color="#ff0000"><br></font></div><div>Version: 4; srcip <a href="http://210.7.45.14:443">210.7.45.14:443</a> -> dstip <a href="http://130.216.182.154:51218">130.216.182.154:51218</a>; ts: 3 and tc: 0</div><div>Version: 4; srcip <a href="http://210.7.45.14:443">210.7.45.14:443</a> -> dstip <a href="http://130.216.182.154:51218">130.216.182.154:51218</a>; ts: 3 and tc: 0</div><div><br></div><div><font color="#ff0000">Version: 4; srcip <a href="http://130.216.182.154:51218">130.216.182.154:51218</a> -> dstip <a href="http://210.7.45.14:443">210.7.45.14:443</a>; ts: 1 and tc: 0</font></div></div><div><br></div><div>But the results show different information. Why the packet from <span style="color:rgb(255,0,0)">130.216.182.154 to </span><span style="color:rgb(255,0,0)"> </span><span style="color:rgb(255,0,0)">210.7.45.14 </span><font color="#000000">didn't count as tc ?</font><br></div><div><br></div><div><br></div><div>I just wondering, if anyone has same problem, do i miss something in the scrip?</div><div><br></div><div>Many thanks for your help.</div><div><br></div><div><br></div><div><br></div><div>Kind regards,</div><div><br></div><div><br></div><div><br></div><div>Steven</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 9 October 2015 at 14:18, Qinwen Hu <span dir="ltr"><<a href="mailto:qhu009@aucklanduni.ac.nz" target="_blank">qhu009@aucklanduni.ac.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Victor,<div><br></div><div>Many thanks for your reply, I have applied the sample code from your previous email into my system. But I find one strange issue:</div><div><br></div><div>My Suricata runs for few seconds and then stops. I can see the tcpdump still receiving IPv6 packets, but Suricata stops to capture incoming packets.</div><div><br></div><div>I have attached the screen shot and my configure file in this Email. Can you please help me on this issue?</div><div><br></div><div><br></div><div>I used Suricata 2.1beta4 on my PC. </div><div><br></div><div><br></div><div>Many thanks for your help, have a nice day.</div><div><br></div><div><br></div><div>Kind regards,</div><div><br></div><div><br></div><div>Steven</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div> </div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On 9 October 2015 at 00:17, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 08-10-15 11:34, Qinwen Hu wrote:<br>
> I try to use Suricata to detect one way flows in our network<br>
> environment. I have enable the flow module from eve-log. But my suricata<br>
> only run 1s for recording the flow and then stop to detect the one way<br>
> flow. Does anyone know the reason?<br>
><br>
><br>
> I also tried to define a new signature for detecting a one way flow. I<br>
> created a new signature<br>
><br>
> alert ipv6 any any -> any any (msg:"IPv6 one way flow"; flow:stateless;<br>
> sid:2900096; rev:1;)<br>
><br>
> Again, I didn't observe any IPv6 one flows. We have used another tool in<br>
> the same environment, we can detect IPv6 one way flows by using that tool.<br>
><br>
> I just wondering, how to use Suricata to detect a one way flow? Can<br>
> anyone help me on this?<br>
<br>
</span>You could try lua:<br>
<br>
ts_pkts, ts_bytes, tc_pkts, to_bytes = SCFlowStats();<br>
if ts_pkts == nil then<br>
return 0<br>
end<br>
<br>
Full script example:<br>
<br>
function init (args)<br>
local needs = {}<br>
needs["packet"] = tostring(true)<br>
return needs<br>
end<br>
<br>
function match(args)<br>
ts_pkts, ts_bytes, tc_pkts, to_bytes = SCFlowStats();<br>
if ts_pkts == nil then<br>
return 0<br>
end<br>
<br>
if ts_pkts > 10 and tc_pkts == 0 then<br>
return 1<br>
elseif tc_pkts > 10 and ts_pkts == 0 then<br>
return 1<br>
end<br>
return 0<br>
end<br>
<br>
Then add something like:<br>
<br>
alert ip any any -> any any (flowbits:isnotset,foo; lua:flow-stats.lua;<br>
flowbits:set,foo; sid:1;)<br>
<br>
You'll need recent code for this, e.g. 2.1beta4 or the git master.<br>
<span><font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div><div style="font-family:Verdana;background-color:rgb(255,255,255)"><br></div><div style="font-family:Verdana;background-color:rgb(255,255,255)"><span style="color:rgb(192,192,192)">胡勤文/</span><font color="#222222">Qinwen</font><font color="#c0c0c0"> </font><font color="#222222">Hu</font></div><div style="font-family:Verdana;background-color:rgb(255,255,255)"><font color="#222222"><br></font><font color="#c0c0c0">Ph.D. Candidate,</font><span style="color:rgb(192,192,192)"> Computer Science, University of Auckland</span></div><div style="font-family:Verdana;background-color:rgb(255,255,255)"><span style="color:rgb(192,192,192)">奥克兰大学 计算机科学 博士研究生</span></div><div style="font-family:Verdana;background-color:rgb(255,255,255)"><br></div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div style="font-family:Verdana;background-color:rgb(255,255,255)"><br></div><div style="font-family:Verdana;background-color:rgb(255,255,255)"><span style="color:rgb(192,192,192)">胡勤文/</span><font color="#222222">Qinwen</font><font color="#c0c0c0"> </font><font color="#222222">Hu</font></div><div style="font-family:Verdana;background-color:rgb(255,255,255)"><font color="#222222"><br></font><font color="#c0c0c0">Ph.D. Candidate,</font><span style="color:rgb(192,192,192)"> Computer Science, University of Auckland</span></div><div style="font-family:Verdana;background-color:rgb(255,255,255)"><span style="color:rgb(192,192,192)">奥克兰大学 计算机科学 博士研究生</span></div><div style="font-family:Verdana;background-color:rgb(255,255,255)"><br></div></div>
</div>