flowbits Keyword Example: A Configuration for Preventing False Positive Events

The following example illustrates how including state names in a group and using the setx operator can prevent false positives.

Consider the same case as the previous example, except that the first two rules now include their two different state names in the same state group.

(msg:"JPEG transfer"; content:"image/";pcre:"/^Content-?Type\x3a(\s*|\s*\r?\n\s+)image\x2fp?jpe?g/smi";
?flowbits:setx,http.jpeg,image_downloads; flowbits:noalert;)

The following diagram illustrates the effect of the flowbits keyword in the preceding rule fragment:

When the first rule fragment detects a JPEG file download, the flowbits:setx,http.jpeg,image_downloads keyword sets the flowbits state to http.jpeg and includes the state in the image_downloads group.

The next rule then detects a subsequent GIF file download:

(msg:"GIF transfer"; content:"image/"; pcre:"/^Content-?Type\x3a(\s*|\s*\r?\n\s+)image\x2fgif/smi";
?flowbits:setx,http.jpg,image_downloads; flowbits:noalert;)

The following diagram illustrates the effect of the flowbits keyword in the preceding rule fragment:

When the second rule fragment matches the GIF download, the flowbits:setx,http.jpg,image_downloads keyword sets the http.jpg flowbits state and unsets http.jpeg, the other state in the group.

The third rule fragment does not result in a false positive:

(msg:"JPEG exploit"; ?flowbits:isset,http.jpeg;content:"|FF|"; 
pcre:"/?\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/";)

The following diagram illustrates the effect of the flowbits keyword in the preceding rule fragment:

Because flowbits:isset,http.jpeg is false, the rules engine stops processing the rule and no event is generated, thus avoiding a false positive even in a case where content in the GIF file matches exploit content for a JPEG file.