[Oisf-users] How to detect one way flows
Victor Julien
lists at inliniac.net
Thu Oct 8 11:17:22 UTC 2015
On 08-10-15 11:34, Qinwen Hu wrote:
> I try to use Suricata to detect one way flows in our network
> environment. I have enable the flow module from eve-log. But my suricata
> only run 1s for recording the flow and then stop to detect the one way
> flow. Does anyone know the reason?
>
>
> I also tried to define a new signature for detecting a one way flow. I
> created a new signature
>
> alert ipv6 any any -> any any (msg:"IPv6 one way flow"; flow:stateless;
> sid:2900096; rev:1;)
>
> Again, I didn't observe any IPv6 one flows. We have used another tool in
> the same environment, we can detect IPv6 one way flows by using that tool.
>
> I just wondering, how to use Suricata to detect a one way flow? Can
> anyone help me on this?
You could try lua:
ts_pkts, ts_bytes, tc_pkts, to_bytes = SCFlowStats();
if ts_pkts == nil then
return 0
end
Full script example:
function init (args)
local needs = {}
needs["packet"] = tostring(true)
return needs
end
function match(args)
ts_pkts, ts_bytes, tc_pkts, to_bytes = SCFlowStats();
if ts_pkts == nil then
return 0
end
if ts_pkts > 10 and tc_pkts == 0 then
return 1
elseif tc_pkts > 10 and ts_pkts == 0 then
return 1
end
return 0
end
Then add something like:
alert ip any any -> any any (flowbits:isnotset,foo; lua:flow-stats.lua;
flowbits:set,foo; sid:1;)
You'll need recent code for this, e.g. 2.1beta4 or the git master.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list