[Oisf-users] [Oisf-devel] New Features: Flowint

Tue Sep 14 13:35:33 UTC 2010

Rich Rumble wrote:
> On Mon, Jan 11, 2010 at 1:44 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> ...
>> Flowint allows storage and mathematical operations using variables. It
>> operates much like flowbits but with the addition of mathematical
>> capabilities and the fact that an integer can be stored and manipulated,
>> not just a flag set. We can use this for a number of very useful things,
>> such as counting occurrences, adding or subtracting occurrences, or
>> doing thresholding within a stream in relation to multiple factors. This
>> will be expanded to a global context very soon so we can do these
>> operations between streams. More on that when it's in there!
> ...
>> The syntax is as follows:
>> flowint: <var>, <set|isset|unset>;
>> Define a var (not required), or check that one is set or not set.
>> flowint: <var>, <operator>, <var or integer>;
>> flowint: <var>, < +,-,=,>,<,>=,<=,==, != >, <var or integer>;
> 
> I'm sorry I haven't payed enough attention to the list or been to the
> brainstorming meetings, but is there an "if/then" type of function, a little
> different than flowint, for example:
> 
> alert tcp any any -> any any (msg:"Suspicious file execution"; content:
> "gsecdump"; trigger:9999990;)
> 
> trigger:9999990 = alert alert tcp $host_1 any -> $host_2 any (msg:"Suspicious
> activity, dump next 200 packets for both hosts";)
> 
> I have no idea how to write it "Snort like", but let's say I find an
> exe executing,
> can I have a new rule be "activated" so that it dumps the next X packets
> from either of the hosts that triggered the alert, or even just one of
> them if the
> "trigger rule" specifies the src/dst or whatever.Can flowint use the detected
> hosts and pass them on as variables?
> Host_1 ---> runs gsecdump against host_2 which set off an alert.The IDS
> then passes the hosts IP's to the flowint rule which looks for content:
> Username, or content=* up to 200 packets each host?
> 
> Does that exist, half exist, it's on the roadmap, will never happen in
> this life
> time bub? (please circle one:)
> 
> I hope I've explained it well enough, to me it sounds like an over simplified
> if/then rule that passes the src and dst onto the next rule... So
> rules that might
> have a high FP/FN rate, could be mitigated because those high false positive/
> negitive rules only run against a select host or two. I'm sure there would have
> to be checks and balances so you don't get your IDS to fall over, especially if
> the "if" portion of the rule was hitting hundreds of times a second.
> Just an idea.

Wouldn't it be possible to do such a thing with a combination of
flowbits and flowints?

Sig1: content:"gsecdump"; flowbit:set,inspect_sig1;
Sig2: flowbit:isset,inspect_sig1; flowint:sig2_cnt,+,1;
Sig3: flowbit:isset,inspect_sig1;content:"more thorough inspection here";
Sig4: flowbit:isset,inspect_sig1; flowint:sig2_cnt,==,200;
flowbit:unset,inspect_sig1;

Sig1 would flag the flow for further inspection. Sig2 would keep a
packet counter in the flow. Sig 3 would do the actual further inspection
of those packets. Sig 4 stops the further inspection.

A bit of a hassle I admit :)

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------