File: README.flowbits

package info (click to toggle)
snort 2.3.2-3
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 22,244 kB
  • ctags: 11,282
  • sloc: ansic: 70,376; sh: 4,364; makefile: 744; perl: 478; sql: 212
file content (77 lines) | stat: -rw-r--r-- 2,323 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
Flowbits Detection Capability
-----------------------------

The flowbits detection plugin uses the flow preprocessor to track rule state
across transport protocol sessions.  This is most useful for TCP sessions, as
it allows rules to generically track the state of an application protocol.

The general configuration of the flowbits rule option is:

    flowbits:<keyword>[,<STATE_NAME>];

Flowbits Keywords
-----------------

There are seven keywords associated with flowbits, most of the options need a
user defined name for the specific state that is being checked.  This string
should be limited to any alphanumeric string including periods, dashes, and
underscores.  

set
---
This keyword sets a STATE_NAME for a particular flow.  This keyword always
returns true.

Usage:  flowbits:set,FOO;

unset
-----
This keyword unsets a STATE_NAME for a particular flow.  This keyword always
returns true.

Usage:  flowbits:unset,FOO;

toggle
------
This keyword sets a STATE_NAME if unset, and unsets a STATE_NAME if set.  This
keyword always returns true.

Usage:  flowbits:toggle,FOO;

isset
-----
This keyword checks a STATE_NAME to see if it is set.  It returns true if the
STATE_NAME is set, and returns false if the STATE_NAME is not set.

Usage:  flowbits:isset,FOO;

isnotset
--------
This keyword checks a STATE_NAME to see if it is not set.  It returns true if
the STATE_NAME is not set, and returns false if the STATE_NAME is set.

Usage:  flowbits:isnotset,FOO;

noalert
-------
This keyword always returns false.  It allows users to write rules that set,
unset, and toggle STATE_NAME without generating an alert.  This is most useful
for writing flowbit rules that set STATE_NAME on normal traffic and
significantly reduces unwanted alerts.  There is no STATE_NAME specified with
this keyword.

Usage:  flowbits:noalert;

reset
-----

This keyword resets all of the states on a given flow.  This always returns
true.  There is no STATE_NAME specified with this keyword.

Usage:  flowbits:reset;

Sample Rules
------------
alert tcp any 143 -> any any (msg:"IMAP login"; content:"OK LOGIN"; flowbits:set,logged_in;)
alert tcp any any -> any 143 (msg:"IMAP lsub"; content:"LSUB"; flowbits:isset,logged_in;)
alert tcp any any -> any 143 (msg:"IMAP LIST WITHOUT LOGIN"; content:"LIST"; flowbits:isnotset,logged_in;)