[Oisf-users] real time alert on tcp stream and flowint
Victor Julien
victor at inliniac.net
Tue Feb 14 09:44:30 UTC 2012
On 02/14/2012 10:29 AM, Peter Manev wrote:
> > Let's for example have only this rule in suricata :
> >
> > alert tcp $HOME_NET 6666 -> any any (msg:"match"; content:"|40|";)
> >
> > Then on a monitored machine from the $HOME_NET range I do :
> >
> > echo "@ @ @ @ @ @ @ @ @" | nc -l 6666
> >
> > And on different host I do :
> >
> > nc testserver 6666
> >
> > This gets the ten @ chars transferred, and I get only one alert.
> > But for example if I echo more @ chars, like 5000 or something, I get
> > 3-6 alerts.
> > I have to check what is actually the number of packets with payload,
> > probably the rule
> > is matched once per packet? But this could not explain that I get
> > different number of alerts on different runs.
>
> The behavior is by design. TCP data by default is inspected in the
> stream context, which means the "@ @ @ @ @ @ @ @ @" buffer is inspected
> at once.
>
>
>
> Suricata will not try to find every possible match in a
> payload, but just one.
>
> That's good to know - clears out a few questions of mine....
> but then a PCRE (matching on 10 "@") should match all of them - correct?
> having in mind they are in the same "chunk".
Right, but it will be an expensive rule :)
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list