[Oisf-users] Rules matching packet sequences rather than individual packets?
Anoop Saldanha
anoopsaldanha at gmail.com
Tue Jan 8 18:28:00 UTC 2013
On Mon, Jan 7, 2013 at 3:15 AM, rmkml <rmkml at yahoo.fr> wrote:
> and Im curious if Suricata detect http rule like "alert http ...
> content:"GET"; nocase; http_method;..." work ?
This should work.
>
> On Sun, 6 Jan 2013, rmkml wrote:
>
>> Good, please check adding flow:from_server,established on first rule
>> and flow:to_server,established on second rule please.
>> Regards
>> Rmkml
>>
>>
>> On Sun, 6 Jan 2013, Matt wrote:
>>
>>> Thanks! That's exactly what I needed. I can't share a pcap from my
>>> customers' traffic, but here are the rules I just wrote:
>>>
>>> alert tcp $HOME_NET any -> any any (msg:"SOCKS5 Authentication Accept";
>>> content:"|05 00|"; dsize:2; flowbits:set, socks5; flowbits:noalert;)
>>> alert tcp any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET";
>>> flowbits:isset, socks5; content:"GET "; depth:4; classtype:trojan-activity;
>>> sid:7100001; rev:1;)
>>>
>>> 0x0500 is the reply back from the SOCKS5 server indicating authentication
>>> succeeded. A subsequent HTTP GET in the other direction triggers the alert.
>>>
>>> Matt
>>>
>>> On 1/6/2013 3:17 PM, rmkml wrote:
>>>>
>>>> Hi Matt,
>>>> Yes it's possible with flowbits...
>>>> Can you share a pcap please?
>>>> Regards
>>>> Rmkml
>>>>
>>>>
>>>> On Sun, 6 Jan 2013, Matt wrote:
>>>>
>>>>> Is it possible to write a rule that matches a sequence of packets in a
>>>>> flow? My specific use case is that I'd like to match HTTP requests sent
>>>>> across SOCKS5 proxy tunnels. I can easily write a rule to match a SOCKS5
>>>>> handshake or an HTTP request, but I don't know if it's possible to match the
>>>>> request only when it follows the handshake in a given tcp session.
>>>>>
>>>>> - Matt
>>
>>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
--
Anoop Saldanha
More information about the Oisf-users
mailing list