Re: [Snort-users] A "Flowbits" issue
This is a discussion on Re: [Snort-users] A "Flowbits" issue within the Snort forums, part of the System Security and Security Related category; Hi Joel, > My question is, is there a reason you are trying to set two flowbits > with that ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-02-2007
|
|||
|
|||
Re: [Snort-users] A "Flowbits" issue
Hi Joel,
> My question is, is there a reason you are trying to set two flowbits > with that one rule? Yes, while the first "flowbits" tells that someone has logged in the system, the second "flowbits" denotes that a specific user has logged in the system. Each "flowbits" might be useful in different situations. > Are you use "username:tung" appears just like that in a packet? (i.e. > no spaces, username and the login name in one string?) Yes, I just assumed it appears like that in a packet's payload Thanks, Tung. On Dec 2, 2007 2:09 PM, Joel Esler <joel.esler@sourcefire.com> wrote: > My question is, is there a reason you are trying to set two flowbits > with that one rule? > > Are you use "username:tung" appears just like that in a packet? (i.e. > no spaces, username and the login name in one string?) > > > > -- > Joel Esler > joel.esler@sourcefire.com > > > > > > On Dec 2, 2007, at 2:05 PM, tung tran wrote: > > > Hi, > > My question is:should we use "flowbits" to check a packet against > > multiple rules or we only use "flowbits" to check next coming packets? > > If we consider this rule: > > R0: alert tcp 192.168.0.1 any -> any any (content:"logged > > in > > ";flowbits:set > > ,logged_in",content:"username:tung",flowbits:set,t ung_loginned) > > which marks the flow as: the specific user "tung" has logged in. > > Can we split this rule into these 2 rules: > > R1: alert tcp 192.168.0.1 any -> any any (content:"logged > > in";flowbits:set,logged_in;flowbits:noalert) > > R2: alert tcp 192.168.0.1 any -> any any > > (content > > :"username:tung";flowbits:isset,logged_in",flowbit s:set,tung_loggined) > > Do we normally write rules this way when we use "flowbits"? Is there > > any situation where we should split a rule when "flowbits" is used? > > The problem I see when using "flowbits" to check a packet against > > multiple rules is the rule triggering order might cause problem. In > > the example above, if R1 is triggered before R2, these 2 rules do the > > same thing as rule R0, however, if R2 is triggered before R1, these 2 > > rules do'nt function as we expect. > > Any idea about this "flowbits" issuse? > > Thank you very much, > > Tung > > > > ------------------------------------------------------------------------- > > SF.Net email is sponsored by: The Future of Linux Business White Paper > > from Novell. From the desktop to the data center, Linux is going > > mainstream. Let it simplify your IT future. > > http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 > > _______________________________________________ > > Snort-users mailing list > > Snort-users@lists.sourceforge.net > > Go to this URL to change user options or unsubscribe: > > https://lists.sourceforge.net/lists/...fo/snort-users > > Snort-users list archive: > > http://www.geocrawler.com/redir-sf.p...st=snort-users > > > > ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
