[Oisf-devel] accessing flowints and flowbits in decode

[Victor Julien]

On 02/27/2013 10:29 PM, David Mandelberg wrote:
> Hi,
> 
> I'm trying to implement an interactive session alert based on
> http://ouah.org/backdoor-sec00.pdf.
> 
> I considered doing it as a set of rules using flowints and flowbits, but
> as far as I can tell, there's no way to access the difference in time
> between when two packets are received. Also, it seems like the
> performance of multiple rules triggering on every single packet might be
> suboptimal.
> 
> Because of the above, I think the best place to implement it is a common
> function called by both DecodeIPV4 and DecodeIPV6. Does that seem like
> the right place? Is there enough information at those points to

At this point the flow isn't yet available. It's only available after
the tcp/udp/etc layer is processed.

> determine if the packet is part of a flow and access per-flow integers
> and bits if it is? Is there a way to get the packet arrival time that
> works for both live capture and reading pcap files? Is there any reason
> not to format the packet arrival time as a *nix time and store it in a
> flowint?

I think creating a detection keyword would be best. There you have
access to the flow. You can use flowvars/flowints and such. From there
you also have full access to the pkt headers, the raw pkt data, pkt time
stamps, etc.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------