Thursday, January 29, 2015

Session based Rules: Writing flowbit based rules for Suricata IDS/IPS

Majority of Suricata/Snort rules are packet based, some times we need to write session based rules spanning across multiple packets of same session. We have to use flowbits keyword to write session based Rules.

As per Suricata documentation

flowbits: set, name                Will set the condition/'name', if present, in the flow.
flowbits: isset, name              Can be used in the rule to make sure it generates an alert                          
                                   when the rule matches and the condition is set in the flow.
flowbits: toggle, name             Reverses the present setting. So for example if a condition is set, 
                                   it will be unset and vice-versa.
flowbits: unset, name              Can be used to unset the condition in the flow.
flowbits: isnotset, name           Can be used in the rule to make sure it generates an alert
                                   when it matches and the condition is not set in the flow.
flowbits: noalert                  Does not generate an alert for this rule.
If packet 1 contains content "DARSHANAM" set condition/name fb1 and don't trigger an alert. If packet 2 contains content "DARSHANAM" set condition/name fb2 and don't trigger an alert also check if condition/name fb1 is set.

alert tcp any 5900 -> any any (msg:"Flowbit based Rule 1"; flow:established,to_client; content:"DARSHANAM"; offset:0; flowbits:set,fb1; flowbits:noalert; reference:cve,CVE-2014-nnnn; sid:11223341; )

alert tcp any any -> any 5900 (msg:"Flowbit based Rule 2"; flow:established,to_server; content:"DARSHANAM"; offset:0; flowbits:isset,fb1; flowbits:set,fb2; flowbits:noalert; reference:cve,CVE-2014-nnnn; sid:11223342; )

alert tcp any 5900 -> any any (msg:"Flowbit based Rule 3"; flow:established,to_client; content:"|00 00 00 00|"; offset:0; depth:4; flowbits:isset,fb2; flowbits:set,fb3; flowbits:noalert; reference:cve,CVE-2014-nnnn; sid:11223343; )

alert tcp any any -> any 5900 (msg:"Flowbit based Rule 4"; flow:established,to_server; byte_test:1,=,0,7; flowbits:isset,fb3; flowbits:set,fb4; flowbits:noalert; reference:cve,CVE-2014-nnnn; sid:11223344; )

alert tcp any any -> any 5900 (msg:"Alert Rule: Flowbit based Rule"; flow:established,to_server; byte_test:1,=,2,0; content:"|00 00 00 07|"; flowbits:isset,fb4; flowbits:unset,fb4; reference:cve,CVE-2014-nnnn; sid:44448888; )

Alerts are logged to /var/log/suricata/alert-debug.log

+================
TIME:              01/27/2014-15:37:28.625783
PKT SRC:           wire/pcap
SRC IP:            192.16.1.2
DST IP:            192.16.8.158
PROTO:             6
SRC PORT:          38603
DST PORT:          5900
TCP SEQ:           3520133923
TCP ACK:           3147758094
FLOW:              to_server: TRUE, to_client: FALSE
FLOW Start TS:     01/27/2014-15:36:42.465932
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: TRUE
FLOW APP_LAYER:    DETECTED: FALSE, PROTO 0
FLOWBIT:           fb1
FLOWBIT:           fb2
FLOWBIT:           fb3
FLOWBIT:           fb4
PACKET LEN:        82
PACKET:
 0000  00 50 88 XX YY ZZ A0 DD  C1 XX YY ZZ 08 00 45 00   .P..b... ..J}..E.
 0010  00 44 31 E1  40   00  40  06   A7 12   C0 A8 01 02 C0 A8   .D1.@.@. ........
 0020  08 9E 96 CB 17 0C D1 D0  FB 23 BB 9E FA 0E 80 18       ........ .#......
 0030  00 73 E7 C9 00 00 01 01  08 0A 57 AB CE CC 25 92         .s...... ..W...%.
 0040  AF 17 02 00 00 03 00 00  00 07 FF FF FF E0 FF FF           ........ ........
 0050  FF 20                                              .
ALERT CNT:           1
ALERT MSG [00]:      Alert Rule: Flowbit based Rule
ALERT GID [00]:      1
ALERT SID [00]:      44448888
ALERT REV [00]:      0
ALERT CLASS [00]:    
ALERT PRIO [00]:     3
ALERT FOUND IN [00]: PACKET
ALERT IN TX [00]:    N/A
PAYLOAD LEN:         16
PAYLOAD:
 0000  02 00 00 03 00 00 00 07  FF FF FF E0 FF FF FF 20   ........ .......
+================

From the above log we can see all the flowbits conditions/names are hit and inturn triggers an alert "Alert Rule: Flowbit based Rule", sid 44448888.