First crack at layer 7 flow identification

[James Lay <jlay () slave-tothe-box net>]

So here it is...so far this seems to work, but just with tcp traffic:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Start flow"; 
flow:to_server; flowbits:set,bit1,stream; flowbits:noalert; 
sid:10000060)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Response flow"; 
flow:from_server;  flowbits:set,bit2,stream; flowbits:isset,bit1; 
flowbits:noalert; sid:10000061)
alert tcp any any -> any any (msg:"Established flow"; flow:established; 
flowbits:set,bit3,stream; flowbits:isset,bit1&bit2; flowbits:noalert; 
sid:10000062)
alert tcp any any -> any any (msg:"Shutdown flow FIN-ACK"; flags:FA; 
flow:stateless; flowbits:isset,all,stream; flowbits:reset; 
stream_reassemble:enable,both; sid:10000063)
alert tcp any any -> any any (msg:"Shutdown flow RST"; flags:R; 
flow:stateless; flowbits:isset,all,stream; flowbits:reset; 
stream_reassemble:enable,both; sid:10000064)


Flow is pretty nice for detecting startup and establishing a session, 
but I was unable to figure out a way to get flow to recognize a session 
being torn down, so that's why I have to use a FIN-ACK or RST.  I also 
noticed that AppID seems to detect better at the end of a session, which 
is why I chose to actually alert on FIN-ACK/RST.  I have to set the any 
any for the Shutdown flows as sometimes the client will FIN-ACK/RST, and 
sometime it will be the server, which is why you'll see some entries 
below as the source sometimes being HOME_NET, and others EXTERNAL_NET.  
If someone has a better idea of how to get tweak this to work better, or 
with udp and not having to use tcp flags I'm all eyes.  Here's the end 
result:

09/20-14:44:02.069913  [**] [1:10000063:0] Shutdown flow [**] [Priority: 
0] [AppID: Google] {TCP} 192.168.1.7:42648 -> 216.58.216.132:80
09/20-14:47:04.635344  [**] [1:10000063:0] Shutdown flow [**] [Priority: 
0] [AppID: Ubuntu] {TCP} 91.189.95.15:80 -> 192.168.1.8:40292
09/20-14:47:27.835899  [**] [1:10000063:0] Shutdown flow [**] [Priority: 
0] [AppID: Advanced Packaging Tool] {TCP} 192.168.1.8:34100 -> 
91.189.92.150:80
09/20-14:47:27.836278  [**] [1:10000063:0] Shutdown flow [**] [Priority: 
0] [AppID: Ubuntu] {TCP} 192.168.1.8:35542 -> 91.189.88.152:80
09/20-14:47:27.836676  [**] [1:10000063:0] Shutdown flow [**] [Priority: 
0] [AppID: Ubuntu Update Manager] {TCP} 192.168.1.8:60574 -> 
91.189.91.26:80
09/20-14:51:50.553277  [**] [1:10000063:0] Shutdown flow [**] [Priority: 
0] [AppID: HTTPS] {TCP} 209.59.180.54:443 -> 192.168.1.106:35325
09/20-14:44:02.069913  [**] [1:10000063:0] Shutdown flow [**] [Priority: 
0] [AppID: Google] {TCP} 192.168.1.7:42648 -> 216.58.216.132:80
09/20-14:47:04.635344  [**] [1:10000063:0] Shutdown flow [**] [Priority: 
0] [AppID: Ubuntu] {TCP} 91.189.95.15:80 -> 192.168.1.8:40292
09/20-14:47:27.835899  [**] [1:10000063:0] Shutdown flow [**] [Priority: 
0] [AppID: Advanced Packaging Tool] {TCP} 192.168.1.8:34100 -> 
91.189.92.150:80
09/20-14:47:27.836278  [**] [1:10000063:0] Shutdown flow [**] [Priority: 
0] [AppID: Ubuntu] {TCP} 192.168.1.8:35542 -> 91.189.88.152:80
09/20-14:47:27.836676  [**] [1:10000063:0] Shutdown flow [**] [Priority: 
0] [AppID: Ubuntu Update Manager] {TCP} 192.168.1.8:60574 -> 
91.189.91.26:80
09/20-14:51:50.553277  [**] [1:10000063:0] Shutdown flow [**] [Priority: 
0] [AppID: HTTPS] {TCP} 209.59.180.54:443 -> 192.168.1.106:35325

The next step is getting the appid.u2 into Elasticsearch...chances are 
I'll have to use logstash.  More coming.

James

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!