[Snort-users] Problems on Flowbits Option

Joel Esler (jesler) jesler at ...589...
Wed Apr 12 07:16:28 EDT 2017


I don't see anywhere where you are "set" ting a flowbit.   So you aren't tracking anything.   That's why you are getting the result you want.  

--
Sent from my iPhone

> On Apr 11, 2017, at 23:35, Luo Xin <kingsleyluoxin at ...125...> wrote:
> 
> alert tcp any any -> $HOME_NET any (msg: "State 1"; GID: 1; sid: 10000001; flags: S; flowbits: isnotset, S1; flowbits: set, S1;)
> alert tcp $HOME_NET any -> any any (msg: "State 2"; GID: 1; sid: 10000002; flags: SA; flowbits: isset, S1; flowbits: set, S2;)
> alert tcp any any -> $HOME_NET any (msg: "State 3"; GID: 1; sid: 10000003; flags: A; flowbits: isset, S2; flowbits: set, S3;)
> 
> My rules are something like this, and I hope to use this to detect syn flooding attacks. So how is it possible to describe the situation that is not accepted by the state machine?
> 
> 在 2017/4/12 上午10:25,“Al Lewis (allewi)”<allewi at ...589...> 写入:
> 
>    It will help if you provided an example. 
> 
>    “My rules don’t work” isnt much to go on :-)
> 
> 
>    Albert Lewis
>    ENGINEER.SOFTWARE ENGINEERING
>    SOURCEfire, Inc. now part of Cisco
>    Email: allewi at ...589... 
> 
> 
> 
> 
> 
> 
> 
> 
>>    On 4/11/17, 9:58 PM, "Luo Xin" <kingsleyluoxin at ...125...> wrote:
>> 
>> 
>> 
>> I am trying to build a state machine for TCP or other protocols. But I don’t know why my rules donn’t work. ☹
>> 
>> 发件人: "Joel Esler (jesler)" <jesler at ...589...<mailto:jesler at ...589...>>
>> 日期: 2017年4月10日 星期一 下午11:55
>> 至: Luo Xin <kingsleyluoxin at ...125...<mailto:kingsleyluoxin at ...125...>>
>> 抄送: "snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>" <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
>> 主题: Re: [Snort-users] Problems on Flowbits Option
>> 
>> Many people have done what you are trying to do.  What are you trying to do??
>> 
>> 
>> --
>> Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>
>> 
>> 
>> 
>> 
>> 
>> On Apr 10, 2017, at 3:55 AM, Luo Xin <kingsleyluoxin at ...125...<mailto:kingsleyluoxin at ...125...>> wrote:
>> 
>> Hello, everyone!
>> 
>> 
>> I have been confused about the flowbits option. According to the snort manual, it is possible to use this option to implement a simple state machine. I have been trying to do that, but my tries prove to be failure. I have been wondering if I have wrong understanding about this flowbits option.
>> 
>> 
>> Is there anybody that has ever used flowbits option to implement a protocol state machine? If any, would you please be so kind as to help me solve my puzzles?
>> 
>> 
>> Any help shall be appreciated .
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list