[Oisf-users] Rules matching packet sequences rather than individual packets?
Peter Manev
petermanev at gmail.com
Mon Jan 7 10:15:35 UTC 2013
Hi Matt,
Would you be able to share a test pcap?
Change the IPs if needed.
Thank you
On Mon, Jan 7, 2013 at 1:29 AM, Matt Carothers <matt at somedamn.com> wrote:
> Adding the flow directions does work. Using the http rules does not.
> Here's what I have now:
>
> alert tcp $HOME_NET any -> any any (msg:"SOCKS5 Authentication Accept";
> content:"|05 00|"; dsize:2; flowbits:set, socks5; flowbits:noalert;
> flow:from_server,established;)
> alert http any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET";
> flowbits:isset, socks5; content:"GET"; nocase; http_method;
> classtype:trojan-activity; sid:7100001; rev:1;)
> alert http any any -> $HOME_NET any (msg:"SOCKS5 Tunneled POST";
> flowbits:isset, socks5; content:"POST"; nocase; http_method;
> classtype:trojan-activity; sid:7100002; rev:1;)
> alert tcp any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET";
> flowbits:isset, socks5; flow:from_client,established; content:"GET ";
> depth:4; classtype:trojan-activity; sid:7100003; rev:1;)
>
> Only the 710003 rule triggers.
>
> Matt
>
>
> On 1/6/2013 4:45 PM, rmkml wrote:
>
>> and Im curious if Suricata detect http rule like "alert http ...
>> content:"GET"; nocase; http_method;..." work ?
>> Regards
>> Rmkml
>>
>>
>> On Sun, 6 Jan 2013, rmkml wrote:
>>
>> Good, please check adding flow:from_server,established on first rule
>>> and flow:to_server,established on second rule please.
>>> Regards
>>> Rmkml
>>>
>>>
>>> On Sun, 6 Jan 2013, Matt wrote:
>>>
>>> Thanks! That's exactly what I needed. I can't share a pcap from my
>>>> customers' traffic, but here are the rules I just wrote:
>>>>
>>>> alert tcp $HOME_NET any -> any any (msg:"SOCKS5 Authentication Accept";
>>>> content:"|05 00|"; dsize:2; flowbits:set, socks5; flowbits:noalert;)
>>>> alert tcp any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET";
>>>> flowbits:isset, socks5; content:"GET "; depth:4; classtype:trojan-activity;
>>>> sid:7100001; rev:1;)
>>>>
>>>> 0x0500 is the reply back from the SOCKS5 server indicating
>>>> authentication succeeded. A subsequent HTTP GET in the other direction
>>>> triggers the alert.
>>>>
>>>> Matt
>>>>
>>>> On 1/6/2013 3:17 PM, rmkml wrote:
>>>>
>>>>> Hi Matt,
>>>>> Yes it's possible with flowbits...
>>>>> Can you share a pcap please?
>>>>> Regards
>>>>> Rmkml
>>>>>
>>>>>
>>>>> On Sun, 6 Jan 2013, Matt wrote:
>>>>>
>>>>> Is it possible to write a rule that matches a sequence of packets in
>>>>>> a flow? My specific use case is that I'd like to match HTTP requests sent
>>>>>> across SOCKS5 proxy tunnels. I can easily write a rule to match a SOCKS5
>>>>>> handshake or an HTTP request, but I don't know if it's possible to match
>>>>>> the request only when it follows the handshake in a given tcp session.
>>>>>>
>>>>>> - Matt
>>>>>>
>>>>>
>>>
>>
> ______________________________**_________________
> Suricata IDS Users mailing list: oisf-users@**openinfosecfoundation.org<oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/**
> support/ <http://suricata-ids.org/support/>
> List: https://lists.**openinfosecfoundation.org/**
> mailman/listinfo/oisf-users<https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>
> OISF: http://www.**openinfosecfoundation.org/<http://www.openinfosecfoundation.org/>
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130107/8c1e1edb/attachment-0002.html>
More information about the Oisf-users
mailing list