Thursday, January 29, 2015

Session based Rules: Writing flowbit based rules for Suricata IDS/IPS

Majority of Suricata/Snort rules are packet based, some times we need to write session based rules spanning across multiple packets of same session. We have to use flowbits keyword to write session based Rules.

As per Suricata documentation


flowbits: set, name                Will set the condition/'name', if present, in the flow.
flowbits: isset, name              Can be used in the rule to make sure it generates an alert                          
                                   when the rule matches and the condition is set in the flow.
flowbits: toggle, name             Reverses the present setting. So for example if a condition is set, 
                                   it will be unset and vice-versa.
flowbits: unset, name              Can be used to unset the condition in the flow.
flowbits: isnotset, name           Can be used in the rule to make sure it generates an alert
                                   when it matches and the condition is not set in the flow.
flowbits: noalert                  Does not generate an alert for this rule.








If packet 1 contains content "DARSHANAM" set condition/name fb1 and don't trigger an alert. If packet 2 contains content "DARSHANAM" set condition/name fb2 and don't trigger an alert also check if condition/name fb1 is set.



alert tcp any 5900 -> any any (msg:"Flowbit based Rule 1"; flow:established,to_client; content:"DARSHANAM"; offset:0; flowbits:set,fb1; flowbits:noalert; reference:cve,CVE-2014-nnnn; sid:11223341; )



alert tcp any any -> any 5900 (msg:"Flowbit based Rule 2"; flow:established,to_server; content:"DARSHANAM"; offset:0; flowbits:isset,fb1; flowbits:set,fb2; flowbits:noalert; reference:cve,CVE-2014-nnnn; sid:11223342; )



alert tcp any 5900 -> any any (msg:"Flowbit based Rule 3"; flow:established,to_client; content:"|00 00 00 00|"; offset:0; depth:4; flowbits:isset,fb2; flowbits:set,fb3; flowbits:noalert; reference:cve,CVE-2014-nnnn; sid:11223343; )



alert tcp any any -> any 5900 (msg:"Flowbit based Rule 4"; flow:established,to_server; byte_test:1,=,0,7; flowbits:isset,fb3; flowbits:set,fb4; flowbits:noalert; reference:cve,CVE-2014-nnnn; sid:11223344; )



alert tcp any any -> any 5900 (msg:"Alert Rule: Flowbit based Rule"; flow:established,to_server; byte_test:1,=,2,0; content:"|00 00 00 07|"; flowbits:isset,fb4; flowbits:unset,fb4; reference:cve,CVE-2014-nnnn; sid:44448888; )



Alerts are logged to /var/log/suricata/alert-debug.log



+================

TIME:              01/27/2014-15:37:28.625783

PKT SRC:           wire/pcap

SRC IP:            192.16.1.2

DST IP:            192.16.8.158

PROTO:             6

SRC PORT:          38603

DST PORT:          5900

TCP SEQ:           3520133923

TCP ACK:           3147758094

FLOW:              to_server: TRUE, to_client: FALSE

FLOW Start TS:     01/27/2014-15:36:42.465932

FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE

FLOW ACTION:       DROP: FALSE

FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: TRUE

FLOW APP_LAYER:    DETECTED: FALSE, PROTO 0

FLOWBIT:           fb1

FLOWBIT:           fb2

FLOWBIT:           fb3

FLOWBIT:           fb4

PACKET LEN:        82

PACKET:

 0000  00 50 88 XX YY ZZ A0 DD  C1 XX YY ZZ 08 00 45 00   .P..b... ..J}..E.

 0010  00 44 31 E1  40   00  40  06   A7 12   C0 A8 01 02 C0 A8   .D1.@.@. ........

 0020  08 9E 96 CB 17 0C D1 D0  FB 23 BB 9E FA 0E 80 18       ........ .#......

 0030  00 73 E7 C9 00 00 01 01  08 0A 57 AB CE CC 25 92         .s...... ..W...%.

 0040  AF 17 02 00 00 03 00 00  00 07 FF FF FF E0 FF FF           ........ ........

 0050  FF 20                                              .

ALERT CNT:           1

ALERT MSG [00]:      Alert Rule: Flowbit based Rule

ALERT GID [00]:      1

ALERT SID [00]:      44448888

ALERT REV [00]:      0

ALERT CLASS [00]:    

ALERT PRIO [00]:     3

ALERT FOUND IN [00]: PACKET

ALERT IN TX [00]:    N/A

PAYLOAD LEN:         16

PAYLOAD:

 0000  02 00 00 03 00 00 00 07  FF FF FF E0 FF FF FF 20   ........ .......

+================







From the above log we can see all the flowbits conditions/names are hit and inturn triggers an alert "Alert Rule: Flowbit based Rule", sid 44448888.















Posted by



at



























Labels:
,


















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)