::
alert tcp any any -> any any (msg:"Counting Usernames"; content:"jonkman"; \
- flowint: usernamecount, +, 1; noalert;)
+ flowint: usernamecount, +, 1; noalert;)
This will count each occurrence and increment the var usernamecount
and not generate an alert for each.
::
alert tcp any any -> any any (msg:"More than Five Usernames!"; content:"jonkman"; \
- flowint: usernamecount, +, 1; flowint:usernamecount, >, 5;)
+ flowint: usernamecount, +, 1; flowint:usernamecount, >, 5;)
So we'll get an alert ONLY if usernamecount is over five.
::
alert tcp any any -> any any (msg:"Username Logged out"; content:"logout jonkman"; \
- flowint: usernamecount, -, 1; flowint:usernamecount, >, 5;)
+ flowint: usernamecount, -, 1; flowint:usernamecount, >, 5;)
So now we'll get an alert ONLY if there are more than five active
logins for this particular username.
::
alert tcp any any -> any any (msg:"Start a login count"; content:"login failed"; \
- flowint:loginfail, notset; flowint:loginfail, =, 1; noalert;)
+ flowint:loginfail, notset; flowint:loginfail, =, 1; noalert;)
So we detect the initial fail if the variable is not yet set and set
it to 1 if so. Our first hit.
::
alert tcp any any -> any any (msg:"Counting Logins"; content:"login failed"; \
- flowint:loginfail, isset; flowint:loginfail, +, 1; noalert;)
+ flowint:loginfail, isset; flowint:loginfail, +, 1; noalert;)
We are now incrementing the counter if it's set.
::
- alert tcp any any -> any any (msg:"More than Five login fails in a Stream"; content:"login failed"; \
- flowint:loginfail, isset; flowint:loginfail, >, 5;)
+ alert tcp any any -> any any (msg:"More than Five login fails in a Stream"; \
+ content:"login failed"; flowint:loginfail, isset; flowint:loginfail, >, 5;)
Now we'll generate an alert if we cross five login fails in the same
::
alert tcp any any -> any any (msg:"Counting Good Logins"; content:"login successful"; \
- flowint:loginsuccess, +, 1; noalert;)
+ flowint:loginsuccess, +, 1; noalert;)
Here we're counting good logins, so now we'll count good logins
relevant to fails:
::
- alert tcp any any -> any any (msg:"Login fail after two successes"; content:"login failed"; \
- flowint:loginsuccess, isset; flowint:loginsuccess, =, 2;)
+ alert tcp any any -> any any (msg:"Login fail after two successes"; \
+ content:"login failed"; flowint:loginsuccess, isset; flowint:loginsuccess, =, 2;)
Here are some other general examples:
::
alert tcp any any -> any any (msg:"Setting a flowint counter"; content:"GET"; \
- flowint:myvar, notset; flowint:maxvar,notset; flowint:myvar,=,1; flowint: maxvar,=,6;)
+ flowint:myvar, notset; flowint:maxvar,notset; \
+ flowint:myvar,=,1; flowint: maxvar,=,6;)
::
- alert tcp any any -> any any (msg:"Adding to flowint counter"; content:"Unauthorized"; \
- flowint:myvar,isset; flowint: myvar,+,2;)
+ alert tcp any any -> any any (msg:"Adding to flowint counter"; \
+ content:"Unauthorized"; flowint:myvar,isset; flowint: myvar,+,2;)
::
- alert tcp any any -> any any (msg:"if the flowint counter is 3 create a new counter"; content:"Unauthorized"; \
- flowint:myvar, isset; flowint:myvar,==,3; flowint:cntpackets,notset; flowint:cntpackets, =, 0;)
+ alert tcp any any -> any any (msg:"if the flowint counter is 3 create a new counter"; \
+ content:"Unauthorized"; flowint:myvar, isset; flowint:myvar,==,3; \
+ flowint:cntpackets,notset; flowint:cntpackets, =, 0;)
::
- alert tcp any any -> any any (msg:"and count the rest of the packets received without generating alerts!!!"; \
- flowint:cntpackets,isset; flowint:cntpackets, +, 1; noalert;)
+ alert tcp any any -> any any (msg:"count the rest without generating alerts"; \
+ flowint:cntpackets,isset; flowint:cntpackets, +, 1; noalert;)
::
- alert tcp any any -> any any (msg:" and fire this when it reach 6"; flowint: cntpackets, isset; \
- flowint: maxvar,isset; flowint: cntpackets, ==, maxvar;)
+ alert tcp any any -> any any (msg:"fire this when it reach 6"; \
+ flowint: cntpackets, isset; \
+ flowint: maxvar,isset; flowint: cntpackets, ==, maxvar;)
projects / thirdparty / suricata.git / commitdiff
