[Oisf-users] Rules matching packet sequences rather than individual packets?

Matt Carothers matt at somedamn.com
Mon Jan 7 00:29:36 UTC 2013 

Adding the flow directions does work. Using the http rules does not.  
Here's what I have now:

alert tcp $HOME_NET any -> any any (msg:"SOCKS5 Authentication Accept"; 
content:"|05 00|"; dsize:2; flowbits:set, socks5; flowbits:noalert; 
flow:from_server,established;)
alert http any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET"; 
flowbits:isset, socks5; content:"GET"; nocase; http_method; 
classtype:trojan-activity; sid:7100001; rev:1;)
alert http any any -> $HOME_NET any (msg:"SOCKS5 Tunneled POST"; 
flowbits:isset, socks5; content:"POST"; nocase; http_method; 
classtype:trojan-activity; sid:7100002; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET"; 
flowbits:isset, socks5; flow:from_client,established; content:"GET "; 
depth:4; classtype:trojan-activity; sid:7100003; rev:1;)

Only the 710003 rule triggers.

Matt

On 1/6/2013 4:45 PM, rmkml wrote:
> and Im curious if Suricata detect http rule like "alert http ... 
> content:"GET"; nocase; http_method;..." work ?
> Regards
> Rmkml
>
>
> On Sun, 6 Jan 2013, rmkml wrote:
>
>> Good, please check adding flow:from_server,established on first rule
>> and flow:to_server,established on second rule please.
>> Regards
>> Rmkml
>>
>>
>> On Sun, 6 Jan 2013, Matt wrote:
>>
>>> Thanks!  That's exactly what I needed. I can't share a pcap from my 
>>> customers' traffic, but here are the rules I just wrote:
>>>
>>> alert tcp $HOME_NET any -> any any (msg:"SOCKS5 Authentication 
>>> Accept"; content:"|05 00|"; dsize:2; flowbits:set, socks5; 
>>> flowbits:noalert;)
>>> alert tcp any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET"; 
>>> flowbits:isset, socks5; content:"GET "; depth:4; 
>>> classtype:trojan-activity; sid:7100001; rev:1;)
>>>
>>> 0x0500 is the reply back from the SOCKS5 server indicating 
>>> authentication succeeded.  A subsequent HTTP GET in the other 
>>> direction triggers the alert.
>>>
>>> Matt
>>>
>>> On 1/6/2013 3:17 PM, rmkml wrote:
>>>> Hi Matt,
>>>> Yes it's possible with flowbits...
>>>> Can you share a pcap please?
>>>> Regards
>>>> Rmkml
>>>>
>>>>
>>>> On Sun, 6 Jan 2013, Matt wrote:
>>>>
>>>>> Is it possible to write a rule that matches a sequence of packets 
>>>>> in a flow? My specific use case is that I'd like to match HTTP 
>>>>> requests sent across SOCKS5 proxy tunnels.  I can easily write a 
>>>>> rule to match a SOCKS5 handshake or an HTTP request, but I don't 
>>>>> know if it's possible to match the request only when it follows 
>>>>> the handshake in a given tcp session.
>>>>>
>>>>> - Matt
>>
>

More information about the Oisf-users mailing list