[Oisf-users] [Oisf-devel] New Features: Flowint
Victor Julien
victor at inliniac.net
Fri Sep 17 10:25:37 UTC 2010
Rich Rumble wrote:
> On Tue, Sep 14, 2010 at 9:35 AM, Victor Julien <victor at inliniac.net> wrote:
>> Wouldn't it be possible to do such a thing with a combination of
>> flowbits and flowints?
>>
>> Sig1: content:"gsecdump"; flowbit:set,inspect_sig1;
>> Sig2: flowbit:isset,inspect_sig1; flowint:sig2_cnt,+,1;
>> Sig3: flowbit:isset,inspect_sig1;content:"more thorough inspection here";
>> Sig4: flowbit:isset,inspect_sig1; flowint:sig2_cnt,==,200;
>> flowbit:unset,inspect_sig1;
>>
>> Sig1 would flag the flow for further inspection. Sig2 would keep a
>> packet counter in the flow. Sig 3 would do the actual further inspection
>> of those packets. Sig 4 stops the further inspection.
>>
>> A bit of a hassle I admit :)
>
> I'll sure give it a try! Looks good on paper :)
> -rich
Cool, let us know how it works for you!
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list