Flowbits Detection Capability
-----------------------------
The flowbits detection plugin uses the flow preprocessor to track rule state
during a transport protocol session. This is most useful for TCP sessions, as
it allows rules to generically track the state of an application protocol.
The general configuration of the flowbits rule option is:
flowbits:<keyword>[,<STATE_NAME>][,<GROUP_NAME>];
<GROUP_NAME> : This specifies the group to which the flowbits belong. When the
GROUP_NAME isnt specified the flowbits belong to the default group. All the flowbits
in a particular group (with an exception of default group) are mutually exclusive.
This means when one flowbits is set in a particular group all the other flowbits
in that group will be unset. A particular flow cannot belong to more than one
group. The group name should be limited to any alphanumeric string including periods,
dashes, and underscores. This argument is allowed only with set and toggle keywords.
Flowbits Keywords
-----------------
There are seven keywords associated with flowbits, most of the options need a
user defined name for the specific state that is being checked. This string
should be limited to any alphanumeric string including periods, dashes, and
underscores.
set
---
This keyword sets a STATE_NAME for a particular flow and unsets all the other flowbits
in a group when the GROUP_NAME is passed. This keyword always returns true.
Usage: flowbits:set,FOO[,BAR];
unset
-----
This keyword unsets a STATE_NAME for a particular flow. This keyword always
returns true.
Usage: flowbits:unset,FOO;
toggle
------
This keyword sets a STATE_NAME if unset and clears out all the other flowbits in a
group when the GROUP_NAME is passed, and unsets a STATE_NAME if set. This keyword
always returns true.
Usage: flowbits:toggle,FOO[,BAR];
isset
-----
This keyword checks a STATE_NAME to see if it is set. It returns true if the
STATE_NAME is set, and returns false if the STATE_NAME is not set.
Usage: flowbits:isset,FOO;
isnotset
--------
This keyword checks a STATE_NAME to see if it is not set. It returns true if
the STATE_NAME is not set, and returns false if the STATE_NAME is set.
Usage: flowbits:isnotset,FOO;
noalert
-------
This keyword always returns false. It allows users to write rules that set,
unset, and toggle STATE_NAME without generating an alert. This is most useful
for writing flowbit rules that set STATE_NAME on normal traffic and
significantly reduces unwanted alerts. There is no STATE_NAME specified with
this keyword.
Usage: flowbits:noalert;
reset
-----
This keyword resets all of the states on a given flow. This always returns
true. There is no STATE_NAME specified with this keyword.
Usage: flowbits:reset;
Sample Rules
------------
alert tcp any 143 -> any any (msg:"IMAP login"; content:"OK LOGIN"; flowbits:set,logged_in;)
alert tcp any any -> any 143 (msg:"IMAP lsub"; content:"LSUB"; flowbits:isset,logged_in;)
alert tcp any any -> any 143 (msg:"IMAP LIST WITHOUT LOGIN"; content:"LIST"; flowbits:isnotset,logged_in;)
alert tcp any any -> any any (msg:"JPG transfer"; content:".JPG"; nocase; flowbits:set,http.jpg,file_type;)
distrib
>
Mandriva
>
current
>
i586
>
media
>
main-updates
>
by-pkgid
>
ff1a1cc6fcf738dd1e56fbe0bb6e9d38
>
files
>
58
