flowbits
The flowbits rule option is used to set and test arbitrary boolean flags to track states throughout the entirety of a transport protocol session (UDP or TCP).
There are five flowbit operations, all of which are listed below, that rule writers can use to track states. These are described in the following table:
| Argument | Description |
|---|---|
set | Sets the specified states for the current flow |
unset | Unsets the specified states for the current flow |
isset | Checks if the specified states are set |
isnotset | Checks if the specified states are not set |
noalert | Cause the rule to not generate an alert, regardless of the rest of the detection options |
Setting and checking flowbits
The first four operations, set, unset, isset, and isnotset, are used to track states throughout a transport protocol session. These four operations require an additional argument, the flowbit flag name, which is the name of the flag to be associated with that particular state.
Tracking states is done properly by creating at least two rules: (1) a "flowbit setter" rule that tells Snort to set a flag if the other conditions in it are met and (2) a "flowbit checker" rule to check whether that particular flag has been set or not set previously in the current transport protocol session, using that as one of its conditions. Rule writers can also "unset" a flag if there's something in a particular packet to warrant such a thing.
Lastly, rule writers can also set and evaluate multiple bits at once using the & and | operators. However, if setting or unsetting multiple flowbit flags with one flowbit option, one must use &.
Format:
Setting or unsetting bits
flowbits:{set|unset},bit[&bit]…;Checking if any bit is set
flowbits:{isset|isnotset},bit[|bit]…;Checking if all bits are set
flowbits:{isset|isnotset},bit[&bit]…;Note: The names of the flowbit names should be limited to alphanumeric strings and can include periods, dashes, or underscores.
Examples:
# this example sets a "logged_in" flag that is used to denote
# that an IMAP login has occurred
alert tcp any 143 -> any any (
msg:"IMAP login";
content:"OK LOGIN";
flowbits:set,logged_in;
flowbits:noalert;
)
# this rule then will only "alert" if "LIST" is found in a packet AND
# the "logged_in" flag has been set previously during the
# current transport protocol session
alert tcp any any -> any 143 (
msg:"IMAP LIST";
content:"LIST";
flowbits:isset,logged_in;
)
# check that flag1 AND flag2 have been set previously in the
# current transport protocol session
flowbits:isset,flag1&flag2;
# check that flag1 OR flag2 have been set previously in the
# current transport protocol session
flowbits:isset,flag1|flag2;
# set the flowbits, flag1 AND flag2, for the current transport
# protocol session
flowbits:set,flag1&flag2;
# unset the flowbits, flag1 AND flag2, for the current transport
# protocol session
flowbits:unset,flag1&flag2;
The noalert flowbit
The last flowbit operation is noalert. Invoking this operation simply tells Snort not to generate an alert for that particular rule. There is not bit name required for this one.
This operation is most commonly used in flowbit setter rules since those are usually just a precursor to what one actually wants to detect.
Format:
flowbits:noalert;
Examples:
flowbits:noalert;