[Oisf-users] real time alert on tcp stream and flowint

Sat Feb 11 19:14:08 UTC 2012

On Sat, Feb 11, 2012 at 7:42 PM, Nikolay Denev <ndenev at gmail.com> wrote:

>
> On Feb 11, 2012, at 7:52 PM, Peter Manev wrote:
>
>
>
> On Sat, Feb 11, 2012 at 4:31 PM, Nikolay Denev <ndenev at gmail.com> wrote:
>
>>
>> On Feb 11, 2012, at 12:11 PM, Peter Manev wrote:
>>
>>
>>
>> On Fri, Feb 10, 2012 at 6:43 AM, Nikolay Denev <ndenev at gmail.com> wrote:
>>
>>>
>>> On Feb 9, 2012, at 10:04 PM, Nikolay Denev wrote:
>>>
>>> > On Feb 9, 2012, at 10:03 PM, Nikolay Denev wrote:
>>> >
>>> >> Hi all,
>>> >>
>>> >> It's probably stupid question and I'm missing something but I don't
>>> seem to be able
>>> >> to generate alert immediately when for example a given string is
>>> found inside a TCP stream.
>>> >> When the TCP connection closes, suricata immediately prints the alert
>>> in fast.log.
>>> >> How can I make the alert be generated immediately when the rule
>>> condition is matched?
>>> >>
>>> >> Also I don't know if its because of this I don't seem to be able to
>>> trigger the rule to match several times on the same stream,
>>> >> while I have the string that should fire the alert several times in
>>> the stream.
>>> >>
>>> >> Here's an example :
>>> >>
>>> >> alert tcp $HOME_NET 6666 -> any any \
>>> >>       (msg:"got one"; content:"something"; flowint:something,notset;
>>> flowint:something,=,1; sid:10;)
>>> >>
>>> >> alert tcp $HOME_NET 6666 -> any any \
>>> >>       (msg:"got five or more"; content:"something";
>>> flowint:something,isset; flowint:something,+,1; flowint:something,>,5;
>>> sid:11;)
>>> >>
>>> >> This never works, I just have the first rule fire once when the TCP
>>> session is terminated.
>>> >>
>>> >>
>>> >> P.S.: As a side note the wiki should be updated to include probably
>>> "sid"s for the rules, as currently when I try to run the examples
>>> >> suricata complains about duplicated rules.
>>> >>
>>> >> Thanks,
>>> >>
>>> >
>>> > I'm running 1.2.1 RELEASE on FreeBSD-9.0-STABLE.
>>>
>>> This seems to work :
>>>
>>> alert tcp $HOME_NET 6666 -> any any \
>>>         (msg:"got one"; content:"something"; flowint:something,notset;
>>> flowint:something,=,1; noalert; sid:10; priority: 1;)
>>>
>>> alert tcp $HOME_NET 6666 -> any any \
>>>         (msg:"got more"; content:"something"; flowint:something,isset;
>>> flowint:something,+,1; noalert; sid:11; priority: 2;)
>>>
>>
>>> alert tcp $HOME_NET 6666 -> any any \
>>>         (msg:"got too many"; content:"something";
>>> flowint:something,isset; flowint:something,>,2; sid:12; priority: 3;)
>>>
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>
>>
>> Hi Nikolay,
>> I think this is the way it is supposed to work. (last example, by you).
>>
>> When you take out "noalert" form sid 11 - does it fire ?
>>
>> And are these the only rules that are loaded in terms of flowint or you
>> have others before that?
>>
>> thanks
>>
>>
>>
>> --
>> Peter Manev
>>
>>
>>
>> Yes, It fires, the problem I have is that it doesn't fire for each
>> occurence of "content".
>> Is alert supposed to fire once per packet if it matches, or for each
>> match in the stream?
>>
>> For example now I'm using these rules to catch if there are more than
>> some defined amount of email addresses in a given stream :
>>
>>
>> alert tcp $HOME_NET 80 -> any any \
>>         (msg:"got one email addr"; content:"|40|";
>> pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \
>>         flow:established,from_server; flowint:something,notset;
>> flowint:something,=,1; sid:10; priority:3; noalert;)
>>
>> alert tcp $HOME_NET 80 -> any any \
>>         (msg:"got more email addrs"; content:"|40|";
>> pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \
>>         flow:established,from_server; flowint:something,isset;
>> flowint:something,+,1; sid:11; priority:2; noalert;)
>>
>> alert tcp $HOME_NET 80 -> any any \
>>         (msg:"Got too many email addrs!"; content:"|40|";
>> pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \
>>         flow:established,from_server; flowint:something,isset;
>> flowint:something,>,10; sid:12; priority:1; classtype:policy-violation;)
>>
>>
>> This for example works, but would not match for a simple plain text file
>> with 10 email adresses, I need to have maybe 40-50 or more for this to
>> match.
>> Maybe I'm missing something…
>>
> And yes, these are my only rules that I'm testing with. No other rules
>> with or without flowint whatsoever.
>>
>>
> Hi ,
> Just so I understand you correctly - you have a text file (in the stream)
> and in that text file you have 10 e-mail addresses and it wold not fire.
> correct ?
>
>
> thanks
>
>
> --
> Peter Manev
>
>
> Exactly.
>
> For example if I try to fetch the file emails.txt via http which has the
> following content :
>
> # cat emails.txt
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
>
> $ curl http://testserver/emails.txt
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
> edin at email.com
> $
>
> And I also remove the "noalert" option from the rules, this is what I get
> in fast.log :
>
> 02/11/2012-20:37:23.988271  [**] [1:10:0] got one email addr [**]
> [Classification: (null)] [Priority: 3] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:57923
> 02/11/2012-20:37:23.988271  [**] [1:11:0] got more email addrs [**]
> [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:57923
>
>
> If I change the third rule to fire if the flowint var is more than 1, it
> is being triggered.
>
> If I insert some random data between the email addresses in the text file,
> then I get 4 maybe 5 matches. Doesn't it have to match all 10 of them?
>

1. What happens if you take out  the PCRE expressions from all the rules ?
2. sid:12 - should not fire because you have >10 , and there are exactly 10
e-mails in the file
3. how big is the stream itself? i think it is below 2KB, correct?
4. is the PCRE matching the e-mails, under the unix shell ?
5. yes i think you should get more sid:11 alerts - but first lets
investigate the above 4.

thanks

-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120211/ffbd21ac/attachment-0002.html>