[Oisf-users] Timed Flowbits

Shirkdog shirkdog at gmail.com
Tue Oct 1 15:11:12 UTC 2013

This goes back to the idea of global flowbits, which Mike Rash
described in this blog post:
Michael Shirk

On Tue, Oct 1, 2013 at 11:04 AM, Kevin Ross <kevross33 at googlemail.com> wrote:
> Hi,
> I am wondering has "timed flowbits" ever been considered as a rule option?
> i.e say I am a client machine. I access a exploit kit and my java is
> exploited, I then download a PDF; usually that happens within a few seconds
> only which is much faster than a usual user so if you had a rule which was
> like (completely fabricated rule language but just conveying the idea).
> # First set "flowtime" like flowbits to expire after so long but can be used
> to alert in that time if something is matched between the same
> source/destination in the time. In this you could combine other indicators
> too (like I have noticed most Java exploits in exploit kits are usually
> small to the point of being under 30K in size)
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Java Archive
> Downloaded"; flow:established,to_client; content:"java/archive";
> http_header; file_data; content:"PK"; within:2;
> flowtime:track,src_and_dst,time:4 seconds; flowbits:noalert;
> classtype:not-supisicous; sid:123991; rev:1;)
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"PDF Downloaded";
> flow:established,to_client; filemagic:"PDF doc";
> flowtime:exploit,track,src_and_dst,time:4 seconds; flowbits:noalert;
> classtype:not-supisicous; sid:123992; rev:1;)
> # If an executable then is downloaded within the time period it will then
> generate an alert.
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Executable Download
> Following Potential Java/PDF Exploit"; flowtimeset:exploit;
> flow:established,to_client; filemagic:"PE32";  classtype:bad-unknown;
> sid:123993; rev:1;)
> Hopefully I am conveying this scenario well enough. Mostly likely this is
> probably the only scenerio where this would make sense but such a system
> could even help spot zero day attacks as you are focusing more on the
> unusual timings of the request in this case.
> Just a thought I had looking at logs :)
> Regards,
> Kevin
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list