[Snort-devel] First comments on new flowbits plugin

Milani Paolo Paolo.Milani at ...866...
Thu Feb 5 04:43:03 EST 2004


I gave a quick look at the flowbits plugin code. It seems quite interesting, it is a pretty general way of adding arbitrary statefulness to snort, without having to add different options for each specific stateful behaviour we want to implement.
The one thing that I don't like is that in my opinion, while flowbits isset and isnotset options clearly belong as option functions (AddOptFuncToList..) it seems to me that all the set, unset, toggle and reset options should be response functions (AddRspFuncToList): my way of seeing it is that if the rule triggers, then the (to use the example in the readme file) imap login has been detected, so a response function is triggered that modifies the state of the flow to remember that. This way the position in which the option is written in the rule becomes irrelevant.
The only issue with this is the flowbits: noalert option, which would not work anymore, but I believe that adding a special noalert keyword to snort core would be a better approach (such a noalert would be tested after response fucntion are called but before fpLogEvent is called). I think this kind of behaviour belongs in the threshholding code..
Avoiding alerts is a general issue with all stateful behaviour, when we want a rule to change global state, but the event is too frequent or not important enough for us to want to alert on it, so I do not think this option should be specific to the flowbits plugin...

Paolo Milani

This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to MailAdmin at ...2137... Thank you

More information about the Snort-devel mailing list