[Oisf-users] flowint br0ken ?
Victor Julien
victor at inliniac.net
Thu Jan 5 17:44:52 UTC 2012
On 12/30/2011 09:20 AM, Edward Fjellskål wrote:
>
> Hi,
>
> My flowint rules seems to have stopped working.
> (Using 1.1.1)
>
> Example:
>
> alert ip any any -> any any (msg:"TEST SET"; flowint:test,+,1;
> classtype:not-suspicious; sid:100; rev:1;)
> alert ip any any -> any any (msg:"TEST FIRE"; flowint:test,>,0;
> classtype:not-suspicious; sid:101; rev:1;)
>
>
> None of them fire.
>
> Can anyone else confirm this?
This works if you first "set" the var to 0:
alert ip any any -> any any (msg:"TEST SET"; flowint:test,notset;
flowint:test,=,0; classtype:not-suspicious; sid:100; rev:1;)
alert ip any any -> any any (msg:"TEST SET"; flowint:test,+,1;
classtype:not-suspicious; sid:101; rev:1;)
alert ip any any -> any any (msg:"TEST FIRE"; flowint:test,>,0;
classtype:not-suspicious; sid:102; rev:1;)
I've just committed code to the git master (soon to be 1.2) that removed
the need for the "set". The increment rule will init the var to 0
automagically.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list