[Oisf-users] Rules matching packet sequences rather than individual packets?

Matt matt at somedamn.com
Sun Jan 6 21:19:30 UTC 2013

Thanks!  That's exactly what I needed. I can't share a pcap from my 
customers' traffic, but here are the rules I just wrote:

alert tcp $HOME_NET any -> any any (msg:"SOCKS5 Authentication Accept"; 
content:"|05 00|"; dsize:2; flowbits:set, socks5; flowbits:noalert;)
alert tcp any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET"; 
flowbits:isset, socks5; content:"GET "; depth:4; 
classtype:trojan-activity; sid:7100001; rev:1;)

0x0500 is the reply back from the SOCKS5 server indicating 
authentication succeeded.  A subsequent HTTP GET in the other direction 
triggers the alert.


On 1/6/2013 3:17 PM, rmkml wrote:
> Hi Matt,
> Yes it's possible with flowbits...
> Can you share a pcap please?
> Regards
> Rmkml
> On Sun, 6 Jan 2013, Matt wrote:
>> Is it possible to write a rule that matches a sequence of packets in 
>> a flow? My specific use case is that I'd like to match HTTP requests 
>> sent across SOCKS5 proxy tunnels.  I can easily write a rule to match 
>> a SOCKS5 handshake or an HTTP request, but I don't know if it's 
>> possible to match the request only when it follows the handshake in a 
>> given tcp session.
>> - Matt

More information about the Oisf-users mailing list