From: Victor Julien Date: Wed, 17 Oct 2018 10:06:23 +0000 (+0200) Subject: doc/flow: updates and cleanups to flow section X-Git-Tag: suricata-4.1.0~73 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5afeebf88429389ec9e94121e86a35ff14691515;p=thirdparty%2Fsuricata.git doc/flow: updates and cleanups to flow section --- diff --git a/doc/userguide/rules/flow-keywords.rst b/doc/userguide/rules/flow-keywords.rst index 9c37d72e34..626d215001 100644 --- a/doc/userguide/rules/flow-keywords.rst +++ b/doc/userguide/rules/flow-keywords.rst @@ -19,17 +19,21 @@ well. Flowbits have different actions. These are: -:: - - flowbits: set, name Will set the condition/'name', if present, in the flow. - flowbits: isset, name Can be used in the rule to make sure it generates an alert - when the rule matches and the condition is set in the flow. - flowbits: toggle, name Reverses the present setting. So for example if a condition is set, - it will be unset and vice-versa. - flowbits: unset, name Can be used to unset the condition in the flow. - flowbits: isnotset, name Can be used in the rule to make sure it generates an alert - when it matches and the condition is not set in the flow. - flowbits: noalert No alert will be generated by this rule. +flowbits: set, name + Will set the condition/'name', if present, in the flow. +flowbits: isset, name + Can be used in the rule to make sure it generates an alert when the + rule matches and the condition is set in the flow. +flowbits: toggle, name + Reverses the present setting. So for example if a condition is set, + it will be unset and vice-versa. +flowbits: unset, name + Can be used to unset the condition in the flow. +flowbits: isnotset, name + Can be used in the rule to make sure it generates an alert when it + matches and the condition is not set in the flow. +flowbits: noalert + No alert will be generated by this rule. Example: @@ -106,11 +110,6 @@ The determination of *established* depends on the protocol: flowint ------- -Flowint is a precursor to the Global Variables task we will be adding -to the engine very soon, which will allow the capture, storage and -comparison of data in a variable. It will be as the name implies -Global. So you can compare data from packets in unrelated streams. - Flowint allows storage and mathematical operations using variables. It operates much like flowbits but with the addition of mathematical capabilities and the fact that an integer can be stored and @@ -120,15 +119,16 @@ occurrences, or doing thresholding within a stream in relation to multiple factors. This will be expanded to a global context very soon, so users can perform these operations between streams. -The syntax is as follows: +The syntax is as follows:: -flowint: , ; + flowint: name, modifier[, value]; Define a var (not required), or check that one is set or not set. -flowint: , , ; +:: -flowint: , < +,-,=,>,<,>=,<=,==, != >, ; + flowint: name, < +,-,=,>,<,>=,<=,==, != >, value; + flowint: name, (isset|isnotset); Compare or alter a var. Add, subtract, compare greater than or less than, greater than or equal to, and less than or equal to are @@ -210,16 +210,17 @@ logins and a failed login after that. :: - alert tcp any any -> any any (msg:"Counting Good Logins"; content:"login successful"; \ - flowint:loginsuccess, +, 1; noalert;) + alert tcp any any -> any any (msg:"Counting Good Logins"; \ + content:"login successful"; flowint:loginsuccess, +, 1; noalert;) Here we're counting good logins, so now we'll count good logins relevant to fails: :: - alert tcp any any -> any any (msg:"Login fail after two successes"; \ - content:"login failed"; flowint:loginsuccess, isset; flowint:loginsuccess, =, 2;) + alert tcp any any -> any any (msg:"Login fail after two successes"; \ + content:"login failed"; flowint:loginsuccess, isset; \ + flowint:loginsuccess, =, 2;) Here are some other general examples: @@ -236,7 +237,7 @@ Here are some other general examples: :: - alert tcp any any -> any any (msg:"if the flowint counter is 3 create a new counter"; \ + alert tcp any any -> any any (msg:"when flowint counter is 3 create new counter"; \ content:"Unauthorized"; flowint:myvar, isset; flowint:myvar,==,3; \ flowint:cntpackets,notset; flowint:cntpackets, =, 0;) @@ -274,4 +275,6 @@ Format stream_size:, , ; -Example of the stream-size keyword in a rule: +Example of the stream-size keyword in a rule:: + + alert tcp any any -> any any (stream_size:both, >, 5000; sid:1;)