[Oisf-users] real time alert on tcp stream and flowint

[Nikolay Denev]

On Feb 9, 2012, at 10:04 PM, Nikolay Denev wrote:

> On Feb 9, 2012, at 10:03 PM, Nikolay Denev wrote:
> 
>> Hi all,
>> 
>> It's probably stupid question and I'm missing something but I don't seem to be able
>> to generate alert immediately when for example a given string is found inside a TCP stream.
>> When the TCP connection closes, suricata immediately prints the alert in fast.log.
>> How can I make the alert be generated immediately when the rule condition is matched?
>> 
>> Also I don't know if its because of this I don't seem to be able to trigger the rule to match several times on the same stream, 
>> while I have the string that should fire the alert several times in the stream. 
>> 
>> Here's an example :
>> 
>> alert tcp $HOME_NET 6666 -> any any \
>>       (msg:"got one"; content:"something"; flowint:something,notset; flowint:something,=,1; sid:10;)
>> 
>> alert tcp $HOME_NET 6666 -> any any \
>>       (msg:"got five or more"; content:"something"; flowint:something,isset; flowint:something,+,1; flowint:something,>,5; sid:11;)
>> 
>> This never works, I just have the first rule fire once when the TCP session is terminated.
>> 
>> 
>> P.S.: As a side note the wiki should be updated to include probably "sid"s for the rules, as currently when I try to run the examples
>> suricata complains about duplicated rules.
>> 
>> Thanks,
>> 
> 
> I'm running 1.2.1 RELEASE on FreeBSD-9.0-STABLE.

This seems to work :

alert tcp $HOME_NET 6666 -> any any \
        (msg:"got one"; content:"something"; flowint:something,notset; flowint:something,=,1; noalert; sid:10; priority: 1;)

alert tcp $HOME_NET 6666 -> any any \
        (msg:"got more"; content:"something"; flowint:something,isset; flowint:something,+,1; noalert; sid:11; priority: 2;)

alert tcp $HOME_NET 6666 -> any any \
        (msg:"got too many"; content:"something"; flowint:something,isset; flowint:something,>,2; sid:12; priority: 3;)