Flowbits have different actions. These are:
-::
-
- flowbits: set, name Will set the condition/'name', if present, in the flow.
- flowbits: isset, name Can be used in the rule to make sure it generates an alert
- when the rule matches and the condition is set in the flow.
- flowbits: toggle, name Reverses the present setting. So for example if a condition is set,
- it will be unset and vice-versa.
- flowbits: unset, name Can be used to unset the condition in the flow.
- flowbits: isnotset, name Can be used in the rule to make sure it generates an alert
- when it matches and the condition is not set in the flow.
- flowbits: noalert No alert will be generated by this rule.
+flowbits: set, name
+ Will set the condition/'name', if present, in the flow.
+flowbits: isset, name
+ Can be used in the rule to make sure it generates an alert when the
+ rule matches and the condition is set in the flow.
+flowbits: toggle, name
+ Reverses the present setting. So for example if a condition is set,
+ it will be unset and vice-versa.
+flowbits: unset, name
+ Can be used to unset the condition in the flow.
+flowbits: isnotset, name
+ Can be used in the rule to make sure it generates an alert when it
+ matches and the condition is not set in the flow.
+flowbits: noalert
+ No alert will be generated by this rule.
Example:
flowint
-------
-Flowint is a precursor to the Global Variables task we will be adding
-to the engine very soon, which will allow the capture, storage and
-comparison of data in a variable. It will be as the name implies
-Global. So you can compare data from packets in unrelated streams.
-
Flowint allows storage and mathematical operations using variables. It
operates much like flowbits but with the addition of mathematical
capabilities and the fact that an integer can be stored and
multiple factors. This will be expanded to a global context very soon,
so users can perform these operations between streams.
-The syntax is as follows:
+The syntax is as follows::
-flowint: , ;
+ flowint: name, modifier[, value];
Define a var (not required), or check that one is set or not set.
-flowint: , , ;
+::
-flowint: , < +,-,=,>,<,>=,<=,==, != >, ;
+ flowint: name, < +,-,=,>,<,>=,<=,==, != >, value;
+ flowint: name, (isset|isnotset);
Compare or alter a var. Add, subtract, compare greater than or less
than, greater than or equal to, and less than or equal to are
::
- alert tcp any any -> any any (msg:"Counting Good Logins"; content:"login successful"; \
- flowint:loginsuccess, +, 1; noalert;)
+ alert tcp any any -> any any (msg:"Counting Good Logins"; \
+ content:"login successful"; flowint:loginsuccess, +, 1; noalert;)
Here we're counting good logins, so now we'll count good logins
relevant to fails:
::
- alert tcp any any -> any any (msg:"Login fail after two successes"; \
- content:"login failed"; flowint:loginsuccess, isset; flowint:loginsuccess, =, 2;)
+ alert tcp any any -> any any (msg:"Login fail after two successes"; \
+ content:"login failed"; flowint:loginsuccess, isset; \
+ flowint:loginsuccess, =, 2;)
Here are some other general examples:
::
- alert tcp any any -> any any (msg:"if the flowint counter is 3 create a new counter"; \
+ alert tcp any any -> any any (msg:"when flowint counter is 3 create new counter"; \
content:"Unauthorized"; flowint:myvar, isset; flowint:myvar,==,3; \
flowint:cntpackets,notset; flowint:cntpackets, =, 0;)
stream_size:<server|client|both|either>, <modifier>, <number>;
-Example of the stream-size keyword in a rule:
+Example of the stream-size keyword in a rule::
+
+ alert tcp any any -> any any (stream_size:both, >, 5000; sid:1;)
projects / thirdparty / suricata.git / commitdiff
