[Oisf-users] How to detect one way flows

Qinwen Hu qhu009 at aucklanduni.ac.nz
Tue Oct 13 22:06:40 UTC 2015 

Hi All,

I used the following scripts for detecting one way flow.

function init (args)
    local needs = {}
    needs["packet"] = tostring(true)
    return needs
end

function match(args)
    ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
    ts_pkts, ts_bytes, tc_pkts, to_bytes = SCFlowStats()
    tmpstr = string.format("Version: %s; srcip%s:%s -> dstip %s:%s; ts: %s
and tc: %s", ipver, srcip, sp, dstip, dp, ts_pkts, tc_pkts)
    print (tmpstr)
    if ts_pkts == nil then
        return 0
    end

    if ts_pkts > 10 and tc_pkts == 0 then
        return 1
    elseif tc_pkts > 10 and ts_pkts == 0 then
        return 1
    end
    return 0
end


I ran the script for one minute,   when I checked my results, I got
confused. I expected the SCFlowStats() will return the flow information
based on the 5-tuple information. So the script can classify the following
packets as one flow.

Version: 4; srcip 210.7.45.14:443 -> dstip 130.216.182.154:51218; ts: 1 and
tc: 0

Version: 4; srcip 210.7.45.14:443 -> dstip 130.216.182.154:51218; ts: 3 and
tc: 0
Version: 4; srcip 210.7.45.14:443 -> dstip 130.216.182.154:51218; ts: 3 and
tc: 0

Version: 4; srcip 130.216.182.154:51218 -> dstip 210.7.45.14:443; ts: 1 and
tc: 0

But the results show different information.  Why the packet from
130.216.182.154
to  210.7.45.14 didn't count as tc ?


I just wondering, if anyone has same problem, do i miss something in the
scrip?

Many thanks for your help.



Kind regards,



Steven









On 9 October 2015 at 14:18, Qinwen Hu <qhu009 at aucklanduni.ac.nz> wrote:

> Hi Victor,
>
> Many thanks for your reply, I have applied the sample code from your
> previous email into my system. But I find one strange issue:
>
> My Suricata runs for few seconds and then stops. I can see the tcpdump
> still receiving IPv6 packets, but Suricata stops to capture incoming
> packets.
>
> I have attached the screen shot and my configure file in this Email. Can
> you please help me on this issue?
>
>
> I used Suricata 2.1beta4 on my PC.
>
>
> Many thanks for your help, have a nice day.
>
>
> Kind regards,
>
>
> Steven
>
>
>
>
>
>
>
>
> On 9 October 2015 at 00:17, Victor Julien <lists at inliniac.net> wrote:
>
>> On 08-10-15 11:34, Qinwen Hu wrote:
>> > I try to use Suricata to detect one way flows in our network
>> > environment. I have enable the flow module from eve-log. But my suricata
>> > only run 1s for recording the flow and then stop to detect the one way
>> > flow. Does anyone know the reason?
>> >
>> >
>> > I also tried to define a new signature for detecting a one way flow. I
>> > created a new signature
>> >
>> > alert ipv6 any any -> any any (msg:"IPv6 one way flow"; flow:stateless;
>> > sid:2900096; rev:1;)
>> >
>> > Again, I didn't observe any IPv6 one flows. We have used another tool in
>> > the same environment, we can detect IPv6 one way flows by using that
>> tool.
>> >
>> > I just wondering, how to use Suricata to detect a one way flow? Can
>> > anyone help me on this?
>>
>> You could try lua:
>>
>>     ts_pkts, ts_bytes, tc_pkts, to_bytes = SCFlowStats();
>>     if ts_pkts == nil then
>>         return 0
>>     end
>>
>> Full script example:
>>
>> function init (args)
>>     local needs = {}
>>     needs["packet"] = tostring(true)
>>     return needs
>> end
>>
>> function match(args)
>>     ts_pkts, ts_bytes, tc_pkts, to_bytes = SCFlowStats();
>>     if ts_pkts == nil then
>>         return 0
>>     end
>>
>>     if ts_pkts > 10 and tc_pkts == 0 then
>>         return 1
>>     elseif tc_pkts > 10 and ts_pkts == 0 then
>>         return 1
>>     end
>>     return 0
>> end
>>
>> Then add something like:
>>
>> alert ip any any -> any any (flowbits:isnotset,foo; lua:flow-stats.lua;
>> flowbits:set,foo; sid:1;)
>>
>> You'll need recent code for this, e.g. 2.1beta4 or the git master.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net
>>
>
>
>
> --
>
> 胡勤文/Qinwen Hu
>
> Ph.D. Candidate, Computer Science, University of Auckland
> 奥克兰大学  计算机科学 博士研究生
>
>


-- 

胡勤文/Qinwen Hu

Ph.D. Candidate, Computer Science, University of Auckland
奥克兰大学  计算机科学 博士研究生
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151014/775ccdd8/attachment-0002.html>

More information about the Oisf-users mailing list