aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0e63c9ca41'
${ noResults }
suricata/doc/userguide/rules/flow-keywords.rst

125 lines
4.3 KiB
ReStructuredText
Raw Blame History

Flow Keywords
=============
Flowbits
~~~~~~~~
Flowbits consists of two parts. The first part describes the action it
is going to perform, the second part is the name of the flowbit.
There are multiple packets that belong to one flow. Suricata keeps
those flows in memory. For more information see
:ref:`suricata-yaml-flow-settings`. Flowbits can make sure an alert
will be generated when for example two different packets match. An
alert will only be generated when both packets match. So, when the
second packet matches, Suricata has to know if the first packet was a
match too. Flowbits marks the flow if a packet matches so Suricata
'knows' it should generate an alert when the second packet matches as
well.
Flowbits have different actions. These are:
::
flowbits: set, name Will set the condition/'name', if present, in the flow.
flowbits: isset, name Can be used in the rule to make sure it generates an alert
when the rule matches and the condition is set in the flow.
flowbits: toggle, name Reverses the present setting. So for example if a condition is set,
it will be unset and vice-versa.
flowbits: unset, name Can be used to unset the condition in the flow.
flowbits: isnotset, name Can be used in the rule to make sure it generates an alert
when it matches and the condition is not set in the flow.
flowbits: noalert Does not generate an alert for this rule.
Example:
.. image:: flow-keywords/Flowbit_3.png
When you take a look at the first rule you will notice it would
generate an alert if it would match, if it were not for the 'flowbits:
noalert' at the end of that rule. The purpose of this rule is to check
for a match on 'userlogin' and mark that in the flow. So, there is no
need for generating an alert. The second rule has no effect without
the first rule. If the first rule matches, the flowbits sets that
specific condition to be present in the flow. Now with the second rule
there can be checked whether or not the previous packet fulfills the
first condition. If at that point the second rule matches, an alert
will be generated.
It is possible to use flowbits several times in a rule and combine the
different functions.
Flow
~~~~
The flow keyword can be used to match on direction of the flow, so
to/from client or to/from server. The to_client is equal to
from_server, same goes for from_client and to_server - there's no
difference, both names are supported due to historical reasons. It can
also match if the flow is established or not. The flow keyword can
also be use to say the signature has to match on stream only
(only_stream) or on packet only (no_stream).
So with the flow keyword you can match on:
::
to_client established only_stream
from_client stateless no_stream
to_server
from_server
**NOTE:** *from_server* and *to_client* are the same, and so are
*to_server* and _from_client_. This comes from the original Snort
language and we support it for compatibility reasons.
These options from the different columns can be combined. You can use
up to three options. For example:
::
flow:to_client, established;
flow:from_client, established, only_stream;
There are different ways in which can be checked whether the
connection is established or not. With tcp-traffic a connection starts
with the three-way-handshake. In the flow is a part in which the state
is set. There will be checked in which state the connection is. In
other cases there will be just checked if traffic comes from two
sides.
Example:
.. image:: flow-keywords/Flow1.png
.. image:: flow-keywords/Flow2.png
Flowint
~~~~~~~
For information, read the information on the :doc:`flowint` page.
stream_size
~~~~~~~~~~~
The stream size option matches on traffic according to the registered
amount of bytes by the sequence numbers. There are several modifiers
to this keyword:
::
> greater than
< less than
= equal
!= not equal
>= greater than or equal
<= less than or equal
Format
::
stream_size:<server|client|both|either>, <modifier>, <number>;
Example of the stream-size keyword in a rule:
Reference in New Issue View Git Blame Copy Permalink