[Oisf-users] Rules matching packet sequences rather than individual packets?

rmkml rmkml at yahoo.fr
Sun Jan 6 21:38:50 UTC 2013

Good, please check adding flow:from_server,established on first rule
and flow:to_server,established on second rule please.

On Sun, 6 Jan 2013, Matt wrote:

> Thanks!  That's exactly what I needed. I can't share a pcap from my 
> customers' traffic, but here are the rules I just wrote:
> alert tcp $HOME_NET any -> any any (msg:"SOCKS5 Authentication Accept"; content:"|05 00|"; dsize:2; flowbits:set, socks5; flowbits:noalert;)
> alert tcp any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET"; flowbits:isset, socks5; content:"GET "; depth:4; classtype:trojan-activity; sid:7100001; rev:1;)
> 0x0500 is the reply back from the SOCKS5 server indicating authentication 
> succeeded.  A subsequent HTTP GET in the other direction triggers the alert.
> Matt
> On 1/6/2013 3:17 PM, rmkml wrote:
>> Hi Matt,
>> Yes it's possible with flowbits...
>> Can you share a pcap please?
>> Regards
>> Rmkml
>> On Sun, 6 Jan 2013, Matt wrote:
>>> Is it possible to write a rule that matches a sequence of packets in a 
>>> flow? My specific use case is that I'd like to match HTTP requests sent 
>>> across SOCKS5 proxy tunnels.  I can easily write a rule to match a SOCKS5 
>>> handshake or an HTTP request, but I don't know if it's possible to match 
>>> the request only when it follows the handshake in a given tcp session.
>>> - Matt

More information about the Oisf-users mailing list