flowbits rule option is used to set and test arbitrary boolean flags to track states throughout the entirety of a transport protocol session (UDP or TCP).
There are five
flowbit operations, all of which are listed below, that rule writers can use to track states. These are described in the following table:
|Sets the specified states for the current flow|
|Unsets the specified states for the current flow|
|Checks if the specified states are set|
|Checks if the specified states are not set|
|Cause the rule to not generate an alert, regardless of the rest of the detection options|
Setting and checking flowbits
The first four operations,
isnotset, are used to track states throughout a transport protocol session. These four operations require an additional argument, the flowbit flag name, which is the name of the flag to be associated with that particular state.
Tracking states is done properly by creating at least two rules: (1) a "flowbit setter" rule that tells Snort to set a flag if the other conditions in it are met and (2) a "flowbit checker" rule to check whether that particular flag has been set or not set previously in the current transport protocol session, using that as one of its conditions. Rule writers can also "unset" a flag if there's something in a particular packet to warrant such a thing.
Lastly, rule writers can also set and evaluate multiple bits at once using the
| operators. However, if setting or unsetting multiple flowbit flags with one
flowbit option, one must use
Setting or unsetting bits
Checking if any bit is set
Checking if all bits are set
Note: The names of the flowbit names should be limited to alphanumeric strings and can include periods, dashes, or underscores.
# this example sets a "logged_in" flag that is used to denote # that an IMAP login has occurred alert tcp any 143 -> any any ( msg:"IMAP login"; content:"OK LOGIN"; flowbits:set,logged_in; flowbits:noalert; ) # this rule then will only "alert" if "LIST" is found in a packet AND # the "logged_in" flag has been set previously during the # current transport protocol session alert tcp any any -> any 143 ( msg:"IMAP LIST"; content:"LIST"; flowbits:isset,logged_in; )
# check that flag1 AND flag2 have been set previously in the # current transport protocol session flowbits:isset,flag1&flag2;
# check that flag1 OR flag2 have been set previously in the # current transport protocol session flowbits:isset,flag1|flag2;
# set the flowbits, flag1 AND flag2, for the current transport # protocol session flowbits:set,flag1&flag2;
# unset the flowbits, flag1 AND flag2, for the current transport # protocol session flowbits:unset,flag1&flag2;
The noalert flowbit
The last flowbit operation is
noalert. Invoking this operation simply tells Snort not to generate an alert for that particular rule. There is not bit name required for this one.
This operation is most commonly used in flowbit setter rules since those are usually just a precursor to what one actually wants to detect.