[Oisf-users] Rules matching packet sequences rather than individual packets?
rmkml
rmkml at yahoo.fr
Sun Jan 6 21:45:20 UTC 2013
and Im curious if Suricata detect http rule like "alert http ... content:"GET"; nocase; http_method;..." work ?
Regards
Rmkml
On Sun, 6 Jan 2013, rmkml wrote:
> Good, please check adding flow:from_server,established on first rule
> and flow:to_server,established on second rule please.
> Regards
> Rmkml
>
>
> On Sun, 6 Jan 2013, Matt wrote:
>
>> Thanks! That's exactly what I needed. I can't share a pcap from my
>> customers' traffic, but here are the rules I just wrote:
>>
>> alert tcp $HOME_NET any -> any any (msg:"SOCKS5 Authentication Accept";
>> content:"|05 00|"; dsize:2; flowbits:set, socks5; flowbits:noalert;)
>> alert tcp any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET";
>> flowbits:isset, socks5; content:"GET "; depth:4; classtype:trojan-activity;
>> sid:7100001; rev:1;)
>>
>> 0x0500 is the reply back from the SOCKS5 server indicating authentication
>> succeeded. A subsequent HTTP GET in the other direction triggers the
>> alert.
>>
>> Matt
>>
>> On 1/6/2013 3:17 PM, rmkml wrote:
>>> Hi Matt,
>>> Yes it's possible with flowbits...
>>> Can you share a pcap please?
>>> Regards
>>> Rmkml
>>>
>>>
>>> On Sun, 6 Jan 2013, Matt wrote:
>>>
>>>> Is it possible to write a rule that matches a sequence of packets in a
>>>> flow? My specific use case is that I'd like to match HTTP requests sent
>>>> across SOCKS5 proxy tunnels. I can easily write a rule to match a SOCKS5
>>>> handshake or an HTTP request, but I don't know if it's possible to match
>>>> the request only when it follows the handshake in a given tcp session.
>>>>
>>>> - Matt
>
More information about the Oisf-users
mailing list