Snort mailing list archives
Re: Problems on Flowbits Option
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 13 Apr 2017 01:19:05 +0000
The stream preprocessor takes care of the three way handshake tracking. -- Sent from my iPhone On Apr 12, 2017, at 20:51, Luo Xin <kingsleyluoxin () hotmail com<mailto:kingsleyluoxin () hotmail com>> wrote: Oh, I see. Thank you so much! I am not so familiar with those options as to help me better use snort. I shall read more about flow and flowbits as well as other related machanisms. I really appreciate your help! 发件人: "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> 日期: 2017年4月13日 星期四 上午8:48 至: Luo Xin <kingsleyluoxin () hotmail com<mailto:kingsleyluoxin () hotmail com>> 主题: Re: [Snort-users] Problems on Flowbits Option Hence the name flowbits. -- Sent from my iPhone On Apr 12, 2017, at 20:37, Luo Xin <kingsleyluoxin () hotmail com<mailto:kingsleyluoxin () hotmail com>> wrote: Um… But aren’t the states transiting by means of judging those flags? And is it a necessity to use flowbits on the basis of an established flow? 在 2017/4/13 上午8:33,“Joel Esler (jesler)”<jesler () cisco com<mailto:jesler () cisco com>> 写入: Oh I'm sorry I didn't see what you did there. I don't think you set and track flowbits on just flags, as there's no flow established on the three way handshake yet. -- Sent from my iPhone On Apr 12, 2017, at 20:25, Luo Xin <kingsleyluoxin () hotmail com<mailto:kingsleyluoxin () hotmail com>> wrote: Thank you for taking time to reply! In fact, I think I have set the states S1, S2 and S3. Are those wrong use of flowbits? I have actually been desired to track the states of protocol and detect some anomaly behaviors. 在 2017/4/12 下午7:16,“Joel Esler (jesler)”<jesler () cisco com<mailto:jesler () cisco com>> 写入: I don't see anywhere where you are "set" ting a flowbit. So you aren't tracking anything. That's why you are getting the result you want. -- Sent from my iPhone On Apr 11, 2017, at 23:35, Luo Xin <kingsleyluoxin () hotmail com<mailto:kingsleyluoxin () hotmail com>> wrote: alert tcp any any -> $HOME_NET any (msg: "State 1"; GID: 1; sid: 10000001; flags: S; flowbits: isnotset, S1; flowbits: set, S1;) alert tcp $HOME_NET any -> any any (msg: "State 2"; GID: 1; sid: 10000002; flags: SA; flowbits: isset, S1; flowbits: set, S2;) alert tcp any any -> $HOME_NET any (msg: "State 3"; GID: 1; sid: 10000003; flags: A; flowbits: isset, S2; flowbits: set, S3;) My rules are something like this, and I hope to use this to detect syn flooding attacks. So how is it possible to describe the situation that is not accepted by the state machine? 在 2017/4/12 上午10:25,“Al Lewis (allewi)”<allewi () cisco com<mailto:allewi () cisco com>> 写入: It will help if you provided an example. “My rules don’t work” isnt much to go on :-) Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> On 4/11/17, 9:58 PM, "Luo Xin" <kingsleyluoxin () hotmail com<mailto:kingsleyluoxin () hotmail com>> wrote: I am trying to build a state machine for TCP or other protocols. But I don’t know why my rules donn’t work. ☹ 发件人: "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com><mailto:jesler () cisco com>> 日期: 2017年4月10日 星期一 下午11:55 至: Luo Xin <kingsleyluoxin () hotmail com<mailto:kingsleyluoxin () hotmail com><mailto:kingsleyluoxin () hotmail com>> 抄送: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net><mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net><mailto:snort-users () lists sourceforge net>> 主题: Re: [Snort-users] Problems on Flowbits Option Many people have done what you are trying to do. What are you trying to do?? -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com><mailto:jesler () cisco com> On Apr 10, 2017, at 3:55 AM, Luo Xin <kingsleyluoxin () hotmail com<mailto:kingsleyluoxin () hotmail com><mailto:kingsleyluoxin () hotmail com>> wrote: Hello, everyone! I have been confused about the flowbits option. According to the snort manual, it is possible to use this option to implement a simple state machine. I have been trying to do that, but my tries prove to be failure. I have been wondering if I have wrong understanding about this flowbits option. Is there anybody that has ever used flowbits option to implement a protocol state machine? If any, would you please be so kind as to help me solve my puzzles? Any help shall be appreciated . ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org<http://Slashdot.org><http://Slashdot.org>! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net><mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problems on Flowbits Option Luo Xin (Apr 10)
- Re: Problems on Flowbits Option Joel Esler (jesler) (Apr 10)
- Message not available
- Message not available
- Re: Problems on Flowbits Option Luo Xin (Apr 11)
- Re: Problems on Flowbits Option Al Lewis (allewi) (Apr 11)
- Re: Problems on Flowbits Option Luo Xin (Apr 11)
- Re: Problems on Flowbits Option Joel Esler (jesler) (Apr 12)
- Re: Problems on Flowbits Option Luo Xin (Apr 12)
- Re: Problems on Flowbits Option Joel Esler (jesler) (Apr 12)
- Message not available
- Message not available
- Re: Problems on Flowbits Option Luo Xin (Apr 12)
- Re: Problems on Flowbits Option Joel Esler (jesler) (Apr 12)
- Message not available
- Re: Problems on Flowbits Option Joel Esler (jesler) (Apr 10)