[Oisf-users] real time alert on tcp stream and flowint

Peter Manev petermanev at gmail.com
Sat Feb 11 10:11:24 UTC 2012 

On Fri, Feb 10, 2012 at 6:43 AM, Nikolay Denev <ndenev at gmail.com> wrote:

>
> On Feb 9, 2012, at 10:04 PM, Nikolay Denev wrote:
>
> > On Feb 9, 2012, at 10:03 PM, Nikolay Denev wrote:
> >
> >> Hi all,
> >>
> >> It's probably stupid question and I'm missing something but I don't
> seem to be able
> >> to generate alert immediately when for example a given string is found
> inside a TCP stream.
> >> When the TCP connection closes, suricata immediately prints the alert
> in fast.log.
> >> How can I make the alert be generated immediately when the rule
> condition is matched?
> >>
> >> Also I don't know if its because of this I don't seem to be able to
> trigger the rule to match several times on the same stream,
> >> while I have the string that should fire the alert several times in the
> stream.
> >>
> >> Here's an example :
> >>
> >> alert tcp $HOME_NET 6666 -> any any \
> >>       (msg:"got one"; content:"something"; flowint:something,notset;
> flowint:something,=,1; sid:10;)
> >>
> >> alert tcp $HOME_NET 6666 -> any any \
> >>       (msg:"got five or more"; content:"something";
> flowint:something,isset; flowint:something,+,1; flowint:something,>,5;
> sid:11;)
> >>
> >> This never works, I just have the first rule fire once when the TCP
> session is terminated.
> >>
> >>
> >> P.S.: As a side note the wiki should be updated to include probably
> "sid"s for the rules, as currently when I try to run the examples
> >> suricata complains about duplicated rules.
> >>
> >> Thanks,
> >>
> >
> > I'm running 1.2.1 RELEASE on FreeBSD-9.0-STABLE.
>
> This seems to work :
>
> alert tcp $HOME_NET 6666 -> any any \
>         (msg:"got one"; content:"something"; flowint:something,notset;
> flowint:something,=,1; noalert; sid:10; priority: 1;)
>
> alert tcp $HOME_NET 6666 -> any any \
>         (msg:"got more"; content:"something"; flowint:something,isset;
> flowint:something,+,1; noalert; sid:11; priority: 2;)
>

> alert tcp $HOME_NET 6666 -> any any \
>         (msg:"got too many"; content:"something"; flowint:something,isset;
> flowint:something,>,2; sid:12; priority: 3;)
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>


Hi Nikolay,
I think this is the way it is supposed to work. (last example, by you).

When you take out "noalert" form sid 11 - does it fire ?

And are these the only rules that are loaded in terms of flowint or you
have others before that?

thanks



-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120211/7d0cce6a/attachment-0002.html>

More information about the Oisf-users mailing list