Project

General

Profile

Actions

Feature #294

closed

Limit inspection of a stream and/or rule...

Added by Edward Fjellskål over 12 years ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
medium
Difficulty:
low
Label:

Description

I would like to have different rule options to limit inspection of a streams.

Not sure if it would speed up or slow down performance, but I see it nice for limiting false positives as some rules are specifically looking for something in the start of a session/stream.

Say if we have a binary protocol, and we are just looking for something that identifies it in the start of the stream/session, it would be waste of cycles to keep inspecting that stream with that rule (And maybe other rules?)
A bit like snorts "preprocessor ssl: noinspect_encrypted"... Just editable by a user...

Example_1 (stream_noinspect;):
alert tcp $EXTERNAL_NET 888 -> $HOME_NET any (msg:"Stop inspect custom encrypted/binary protocol SSLv8"; flow:established,from_server; content:"|02|Handshake done|03|"; flowbits:noalert; stream_noinspect; classtype:friendly_fire; sid:888; rev:1;)

Example_2 (stream_depth:5; and stream_noinspect;):
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gh0st Trojan CnC"; flow:established,to_server; content:"Gh0st"; stream_depth:5; stream_noinspect; classtype:trojan-activity; sid:2010859; rev:100;)

There could be:
stream_noinspect or stream_noinspect_both (The same): Stops inspections of client and server traffic in the stream.
stream_noinspect_client: Stop inspection of traffic from client in the stream
stream_noinspect_server: Stop inspection of traffic from server in the stream
If the rule matches its conditions and one of the above options are presents, it would stop inspect respectively.

stream_depth (and stream_depth_raw): Only inspect a certain amount of bytes in a reassabled (or raw?) stream for the respective content:"" match in a rule? The rule would no longer be applied to packets in the stream after it fires.

I have no idea if my stream_* thoughts are a good or bad idea... but here they are :)


Related issues 1 (0 open1 closed)

Related to Suricata - Feature #6164: detect: new keyword flow.pkts_toclient to server and bytes as wellClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF