[Oisf-users] rule for inspecting first packet in tcp stream only

Anoop Saldanha anoopsaldanha at gmail.com
Thu Apr 25 17:19:57 UTC 2013 

On Thu, Apr 25, 2013 at 10:04 PM, Justin Cinkelj <justin.cinkelj at xlab.si> wrote:
> only_stream works, yes, and the rule is short and elegant. I like it.

To avoid getting the rule re-inspected against subsequent stream
messages, you still need to add the flowbits Matt specified.

> Match occurs only when terminating the stream. So while usually individual
> packets are inspected, in this case only stream as whole is inspected, and
> this is after closing the stream?
>
> Wouldn't that consume memory if connection is long lasting (file upload,
> websocket)?
> And when would be connection terminated in case of IPS mode (I must be
> missing something here) ?
>

Yes, the stream only would be inspected, and it would be inspected if
we reach the chunk inspection limit, specified in the conf file.  This
behaviour is different if the flow carries app layer protocols like
http, where we force stream segments to be inspected along with the
corresponding app state.

> A cruel set of three rules was:
> alert tcp any any -> any 4444 (msg:"TEST-c1"; flags:S,A;
> flowbits:set,myflagA; sid:5002004; rev:1;)
> alert tcp any any -> any 4444 (msg:"TEST-c3"; flowbits:isset,myflagA;
> flowbits:unset,myflagA; content:"bla-bla"; offset:0; depth:7; sid:5002006;
> rev:1;)
> alert tcp any any -> any 4444 (msg:"TEST-c2"; flowbits:isset,myflagA;
> flowbits:unset,myflagA; dsize:>0; sid:5002005; rev:1;)
> But it is just to ugly.
>
>
>
> On 04/25/2013 05:23 PM, Anoop Saldanha wrote:
>>
>> On Thu, Apr 25, 2013 at 8:08 PM, Matt <matt at somedamn.com> wrote:
>>>
>>> Maybe something like this (untested)?
>>>
>>> alert tcp any any -> any 4444 (msg:"TEST-a"; content:"bla-bla"; offset:0;
>>> depth:7; flowbits:isnotset,ignore; flowbits:set,ignore; sid:5002002;
>>> rev:1;)
>>>
>>> Matt
>>>
>>>
>>> On 4/25/2013 9:40 AM, Justin Cinkelj wrote:
>>>>
>>>> Hi
>>>>
>>>> I would like to write rule to match relative to start of tcp stream.
>>>> Something like
>>>> alert tcp any any -> any 4444 (msg: "TEST-a"; content:"bla-bla";
>>>> offset:0;
>>>> depth:7; sid:5002002; rev:1;)
>>>>
>>>> This triggers, but matches start of every packet, and I would like to
>>>> limit it to the first packet only.
>>>>
>>>> Justin
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support:
>>>> http://suricata-ids.org/support/
>>>> List:
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> OISF: http://www.openinfosecfoundation.org/
>>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> OISF: http://www.openinfosecfoundation.org/
>>
>> alert tcp any any -> any 4444 (msg: "TEST-a"; content:"bla-bla";
>> offset:0; depth:7; flow:established,only_stream; sid:5002002; rev:1;)
>>
>



-- 
Anoop Saldanha

More information about the Oisf-users mailing list