[Oisf-users] [Oisf-devel] New Features: Flowint
Rich Rumble
richrumble at gmail.com
Tue Sep 14 13:44:41 UTC 2010
On Tue, Sep 14, 2010 at 9:35 AM, Victor Julien <victor at inliniac.net> wrote:
> Wouldn't it be possible to do such a thing with a combination of
> flowbits and flowints?
>
> Sig1: content:"gsecdump"; flowbit:set,inspect_sig1;
> Sig2: flowbit:isset,inspect_sig1; flowint:sig2_cnt,+,1;
> Sig3: flowbit:isset,inspect_sig1;content:"more thorough inspection here";
> Sig4: flowbit:isset,inspect_sig1; flowint:sig2_cnt,==,200;
> flowbit:unset,inspect_sig1;
>
> Sig1 would flag the flow for further inspection. Sig2 would keep a
> packet counter in the flow. Sig 3 would do the actual further inspection
> of those packets. Sig 4 stops the further inspection.
>
> A bit of a hassle I admit :)
I'll sure give it a try! Looks good on paper :)
-rich
More information about the Oisf-users
mailing list