[Oisf-users] Timed Flowbits

Will Metcalf william.metcalf at gmail.com
Tue Oct 1 15:13:42 UTC 2013 

Yes... We need this..


On Tue, Oct 1, 2013 at 10:11 AM, Shirkdog <shirkdog at gmail.com> wrote:

> This goes back to the idea of global flowbits, which Mike Rash
> described in this blog post:
>
> http://www.cipherdyne.org/blog/2013/07/crossing-the-streams-in-ids-signature-languages.html
> ---
> Michael Shirk
>
>
> On Tue, Oct 1, 2013 at 11:04 AM, Kevin Ross <kevross33 at googlemail.com>
> wrote:
> > Hi,
> >
> > I am wondering has "timed flowbits" ever been considered as a rule
> option?
> > i.e say I am a client machine. I access a exploit kit and my java is
> > exploited, I then download a PDF; usually that happens within a few
> seconds
> > only which is much faster than a usual user so if you had a rule which
> was
> > like (completely fabricated rule language but just conveying the idea).
> >
> > # First set "flowtime" like flowbits to expire after so long but can be
> used
> > to alert in that time if something is matched between the same
> > source/destination in the time. In this you could combine other
> indicators
> > too (like I have noticed most Java exploits in exploit kits are usually
> > small to the point of being under 30K in size)
> > alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Java Archive
> > Downloaded"; flow:established,to_client; content:"java/archive";
> > http_header; file_data; content:"PK"; within:2;
> > flowtime:track,src_and_dst,time:4 seconds; flowbits:noalert;
> > classtype:not-supisicous; sid:123991; rev:1;)
> >
> > alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"PDF Downloaded";
> > flow:established,to_client; filemagic:"PDF doc";
> > flowtime:exploit,track,src_and_dst,time:4 seconds; flowbits:noalert;
> > classtype:not-supisicous; sid:123992; rev:1;)
> >
> > # If an executable then is downloaded within the time period it will then
> > generate an alert.
> > alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Executable Download
> > Following Potential Java/PDF Exploit"; flowtimeset:exploit;
> > flow:established,to_client; filemagic:"PE32";  classtype:bad-unknown;
> > sid:123993; rev:1;)
> >
> > Hopefully I am conveying this scenario well enough. Mostly likely this is
> > probably the only scenerio where this would make sense but such a system
> > could even help spot zero day attacks as you are focusing more on the
> > unusual timings of the request in this case.
> >
> > Just a thought I had looking at logs :)
> > Regards,
> > Kevin
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131001/d630b2b0/attachment-0002.html>

More information about the Oisf-users mailing list