[Oisf-users] real time alert on tcp stream and flowint
Nikolay Denev
ndenev at gmail.com
Thu Feb 9 20:03:12 UTC 2012
Hi all,
It's probably stupid question and I'm missing something but I don't seem to be able
to generate alert immediately when for example a given string is found inside a TCP stream.
When the TCP connection closes, suricata immediately prints the alert in fast.log.
How can I make the alert be generated immediately when the rule condition is matched?
Also I don't know if its because of this I don't seem to be able to trigger the rule to match several times on the same stream,
while I have the string that should fire the alert several times in the stream.
Here's an example :
alert tcp $HOME_NET 6666 -> any any \
(msg:"got one"; content:"something"; flowint:something,notset; flowint:something,=,1; sid:10;)
alert tcp $HOME_NET 6666 -> any any \
(msg:"got five or more"; content:"something"; flowint:something,isset; flowint:something,+,1; flowint:something,>,5; sid:11;)
This never works, I just have the first rule fire once when the TCP session is terminated.
P.S.: As a side note the wiki should be updated to include probably "sid"s for the rules, as currently when I try to run the examples
suricata complains about duplicated rules.
Thanks,
More information about the Oisf-users
mailing list