[Oisf-users] Timed Flowbits

Kevin Ross kevross33 at googlemail.com
Tue Oct 1 15:04:14 UTC 2013


I am wondering has "timed flowbits" ever been considered as a rule option?
i.e say I am a client machine. I access a exploit kit and my java is
exploited, I then download a PDF; usually that happens within a few seconds
only which is much faster than a usual user so if you had a rule which was
like (completely fabricated rule language but just conveying the idea).

# First set "flowtime" like flowbits to expire after so long but can be
used to alert in that time if something is matched between the same
source/destination in the time. In this you could combine other indicators
too (like I have noticed most Java exploits in exploit kits are usually
small to the point of being under 30K in size)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Java Archive
Downloaded"; flow:established,to_client; content:"java/archive";
http_header; file_data; content:"PK"; within:2;
flowtime:track,src_and_dst,time:4 seconds; flowbits:noalert;
classtype:not-supisicous; sid:123991; rev:1;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"PDF Downloaded";
flow:established,to_client; filemagic:"PDF doc";
flowtime:exploit,track,src_and_dst,time:4 seconds; flowbits:noalert;
classtype:not-supisicous; sid:123992; rev:1;)

# If an executable then is downloaded within the time period it will then
generate an alert.
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Executable Download
Following Potential Java/PDF Exploit"; flowtimeset:exploit;
flow:established,to_client; filemagic:"PE32";  classtype:bad-unknown;
sid:123993; rev:1;)

Hopefully I am conveying this scenario well enough. Mostly likely this is
probably the only scenerio where this would make sense but such a system
could even help spot zero day attacks as you are focusing more on the
unusual timings of the request in this case.

Just a thought I had looking at logs :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131001/f08febaa/attachment.html>

More information about the Oisf-users mailing list