Snort mailing list archives
Flowbits option in Snort
From: Matthew Budge <mbudge1 () gmail com>
Date: Mon, 8 Aug 2011 13:10:41 +0100
Hello, I'm having some trouble with the flowbits option in Snort. The rules below all trigger alerts when the flowbits option isn't set. However, when flowbits is set (as shown below) only rules 1 & 2 generate alerts. I understand HTTP Get requests only send URL and headers to a server, and Post requests can include a message body. However, how does the difference in the HTTP request methods affect how flowbits work in Snort? Although the state name, "zeus" is set in rule 1 (as rule 2 triggers an alert), rules 3 & 4 don't recognise this preventing their alerts from being triggered. #Rule 1 alert tcp #$HOME_NET 1027 -> $EXTERNAL_NET $HTTP_PORTS (content: "GET"; msg:"Rule 1"; flowbits:set,malware; sid:1000010;) #Rule 2 alert tcp #$HOME_NET 1020:1040 -> $EXTERNAL_NET $HTTP_PORTS (content: "GET"; msg:"Rule 2"; flowbits:isset,malware; sid:1000000;) #Rule 3 alert tcp #$HOME_NET 1029 -> $EXTERNAL_NET $HTTP_PORTS (content: "POST"; msg:"Rule 3 Port 1029"; flowbits:isset,malware; sid:1000011;) #Rule 4 alert tcp #$HOME_NET 1030 -> $EXTERNAL_NET $HTTP_PORTS (content: "POST"; msg:"Rule 4: Port 1030"; flowbits:isset,malware; sid:1000012;) Snort log:- [**] [1:1000010:0] Rule 1 [**] [Priority: 0] 08/04-17:23:18.108784 10.0.0.2:1027 -> 10.0.1.10:80 <http://10.0.1.10/> TCP TTL:128 TOS:0x0 ID:184 IpLen:20 DgmLen:322 DF ***AP*** Seq: 0x8424D791 Ack: 0x5BE86D33 Win: 0xFFFF TcpLen: 20 [**] [1:1000000:0] Rule 2 [**] [Priority: 0] 08/04-17:23:18.108784 10.0.0.2:1027 -> 10.0.1.10:80 <http://10.0.1.10/> TCP TTL:128 TOS:0x0 ID:184 IpLen:20 DgmLen:322 DF ***AP*** Seq: 0x8424D791 Ack: 0x5BE86D33 Win: 0xFFFF TcpLen: 20 Thanks for any help.
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- Flowbits option in Snort Matthew Budge (Aug 09)
- Re: Flowbits option in Snort rmkml (Aug 09)