[Oisf-users] real time alert on tcp stream and flowint

Nikolay Denev ndenev at gmail.com
Sat Feb 11 15:31:26 UTC 2012 

On Feb 11, 2012, at 12:11 PM, Peter Manev wrote:

> 
> 
> On Fri, Feb 10, 2012 at 6:43 AM, Nikolay Denev <ndenev at gmail.com> wrote:
> 
> On Feb 9, 2012, at 10:04 PM, Nikolay Denev wrote:
> 
> > On Feb 9, 2012, at 10:03 PM, Nikolay Denev wrote:
> >
> >> Hi all,
> >>
> >> It's probably stupid question and I'm missing something but I don't seem to be able
> >> to generate alert immediately when for example a given string is found inside a TCP stream.
> >> When the TCP connection closes, suricata immediately prints the alert in fast.log.
> >> How can I make the alert be generated immediately when the rule condition is matched?
> >>
> >> Also I don't know if its because of this I don't seem to be able to trigger the rule to match several times on the same stream,
> >> while I have the string that should fire the alert several times in the stream.
> >>
> >> Here's an example :
> >>
> >> alert tcp $HOME_NET 6666 -> any any \
> >>       (msg:"got one"; content:"something"; flowint:something,notset; flowint:something,=,1; sid:10;)
> >>
> >> alert tcp $HOME_NET 6666 -> any any \
> >>       (msg:"got five or more"; content:"something"; flowint:something,isset; flowint:something,+,1; flowint:something,>,5; sid:11;)
> >>
> >> This never works, I just have the first rule fire once when the TCP session is terminated.
> >>
> >>
> >> P.S.: As a side note the wiki should be updated to include probably "sid"s for the rules, as currently when I try to run the examples
> >> suricata complains about duplicated rules.
> >>
> >> Thanks,
> >>
> >
> > I'm running 1.2.1 RELEASE on FreeBSD-9.0-STABLE.
> 
> This seems to work :
> 
> alert tcp $HOME_NET 6666 -> any any \
>        (msg:"got one"; content:"something"; flowint:something,notset; flowint:something,=,1; noalert; sid:10; priority: 1;)
> 
> alert tcp $HOME_NET 6666 -> any any \
>        (msg:"got more"; content:"something"; flowint:something,isset; flowint:something,+,1; noalert; sid:11; priority: 2;)  
> 
> alert tcp $HOME_NET 6666 -> any any \
>        (msg:"got too many"; content:"something"; flowint:something,isset; flowint:something,>,2; sid:12; priority: 3;)
> 
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> 
> Hi Nikolay,
> I think this is the way it is supposed to work. (last example, by you).
> 
> When you take out "noalert" form sid 11 - does it fire ?
> 
> And are these the only rules that are loaded in terms of flowint or you have others before that?
> 
> thanks
> 
> 
> 
> -- 
> Peter Manev


Yes, It fires, the problem I have is that it doesn't fire for each occurence of "content". 
Is alert supposed to fire once per packet if it matches, or for each match in the stream?

For example now I'm using these rules to catch if there are more than some defined amount of email addresses in a given stream :


alert tcp $HOME_NET 80 -> any any \
        (msg:"got one email addr"; content:"|40|"; pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \
        flow:established,from_server; flowint:something,notset; flowint:something,=,1; sid:10; priority:3; noalert;)

alert tcp $HOME_NET 80 -> any any \
        (msg:"got more email addrs"; content:"|40|"; pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \
        flow:established,from_server; flowint:something,isset; flowint:something,+,1; sid:11; priority:2; noalert;)

alert tcp $HOME_NET 80 -> any any \
        (msg:"Got too many email addrs!"; content:"|40|"; pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \
        flow:established,from_server; flowint:something,isset; flowint:something,>,10; sid:12; priority:1; classtype:policy-violation;)


This for example works, but would not match for a simple plain text file with 10 email adresses, I need to have maybe 40-50 or more for this to match.
Maybe I'm missing something…

And yes, these are my only rules that I'm testing with. No other rules with or without flowint whatsoever.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120211/ec10da87/attachment-0002.html>

More information about the Oisf-users mailing list