[Oisf-users] rule for inspecting first packet in tcp stream only
Justin Cinkelj
justin.cinkelj at xlab.si
Thu Apr 25 16:34:28 UTC 2013
only_stream works, yes, and the rule is short and elegant. I like it.
Match occurs only when terminating the stream. So while usually
individual packets are inspected, in this case only stream as whole is
inspected, and this is after closing the stream?
Wouldn't that consume memory if connection is long lasting (file upload,
websocket)?
And when would be connection terminated in case of IPS mode (I must be
missing something here) ?
A cruel set of three rules was:
alert tcp any any -> any 4444 (msg:"TEST-c1"; flags:S,A;
flowbits:set,myflagA; sid:5002004; rev:1;)
alert tcp any any -> any 4444 (msg:"TEST-c3"; flowbits:isset,myflagA;
flowbits:unset,myflagA; content:"bla-bla"; offset:0; depth:7;
sid:5002006; rev:1;)
alert tcp any any -> any 4444 (msg:"TEST-c2"; flowbits:isset,myflagA;
flowbits:unset,myflagA; dsize:>0; sid:5002005; rev:1;)
But it is just to ugly.
On 04/25/2013 05:23 PM, Anoop Saldanha wrote:
> On Thu, Apr 25, 2013 at 8:08 PM, Matt <matt at somedamn.com> wrote:
>> Maybe something like this (untested)?
>>
>> alert tcp any any -> any 4444 (msg:"TEST-a"; content:"bla-bla"; offset:0;
>> depth:7; flowbits:isnotset,ignore; flowbits:set,ignore; sid:5002002; rev:1;)
>>
>> Matt
>>
>>
>> On 4/25/2013 9:40 AM, Justin Cinkelj wrote:
>>> Hi
>>>
>>> I would like to write rule to match relative to start of tcp stream.
>>> Something like
>>> alert tcp any any -> any 4444 (msg: "TEST-a"; content:"bla-bla"; offset:0;
>>> depth:7; sid:5002002; rev:1;)
>>>
>>> This triggers, but matches start of every packet, and I would like to
>>> limit it to the first packet only.
>>>
>>> Justin
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> OISF: http://www.openinfosecfoundation.org/
>>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
> alert tcp any any -> any 4444 (msg: "TEST-a"; content:"bla-bla";
> offset:0; depth:7; flow:established,only_stream; sid:5002002; rev:1;)
>
More information about the Oisf-users
mailing list