[Oisf-users] How to detect one way flows

Fri Oct 9 01:18:02 UTC 2015

Hi Victor,

Many thanks for your reply, I have applied the sample code from your
previous email into my system. But I find one strange issue:

My Suricata runs for few seconds and then stops. I can see the tcpdump
still receiving IPv6 packets, but Suricata stops to capture incoming
packets.

I have attached the screen shot and my configure file in this Email. Can
you please help me on this issue?

I used Suricata 2.1beta4 on my PC.

Many thanks for your help, have a nice day.

Kind regards,

Steven

On 9 October 2015 at 00:17, Victor Julien <lists at inliniac.net> wrote:

> On 08-10-15 11:34, Qinwen Hu wrote:
> > I try to use Suricata to detect one way flows in our network
> > environment. I have enable the flow module from eve-log. But my suricata
> > only run 1s for recording the flow and then stop to detect the one way
> > flow. Does anyone know the reason?
> >
> >
> > I also tried to define a new signature for detecting a one way flow. I
> > created a new signature
> >
> > alert ipv6 any any -> any any (msg:"IPv6 one way flow"; flow:stateless;
> > sid:2900096; rev:1;)
> >
> > Again, I didn't observe any IPv6 one flows. We have used another tool in
> > the same environment, we can detect IPv6 one way flows by using that
> tool.
> >
> > I just wondering, how to use Suricata to detect a one way flow? Can
> > anyone help me on this?
>
> You could try lua:
>
>     ts_pkts, ts_bytes, tc_pkts, to_bytes = SCFlowStats();
>     if ts_pkts == nil then
>         return 0
>     end
>
> Full script example:
>
> function init (args)
>     local needs = {}
>     needs["packet"] = tostring(true)
>     return needs
> end
>
> function match(args)
>     ts_pkts, ts_bytes, tc_pkts, to_bytes = SCFlowStats();
>     if ts_pkts == nil then
>         return 0
>     end
>
>     if ts_pkts > 10 and tc_pkts == 0 then
>         return 1
>     elseif tc_pkts > 10 and ts_pkts == 0 then
>         return 1
>     end
>     return 0
> end
>
> Then add something like:
>
> alert ip any any -> any any (flowbits:isnotset,foo; lua:flow-stats.lua;
> flowbits:set,foo; sid:1;)
>
> You'll need recent code for this, e.g. 2.1beta4 or the git master.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>

-- 

胡勤文／Qinwen Hu

Ph.D. Candidate, Computer Science, University of Auckland
奥克兰大学  计算机科学 博士研究生
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151009/f013879e/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Capture1.PNG
Type: image/png
Size: 38309 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151009/f013879e/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/octet-stream
Size: 56898 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151009/f013879e/attachment-0002.obj>