flowbits Keyword Example: A Configuration Using state_name

This is an example of a flowbits configuration using state_name.

Consider the IMAP vulnerability described in CVE ID 2000-0284. This vulnerability exists in an implementation of IMAP, specifically in the LIST, LSUB, RENAME, FIND, and COPY commands. However, to take advantage of the vulnerability, the attacker must be logged into the IMAP server. Because the LOGIN confirmation from the IMAP server and the exploit that follows are necessarily in different packets, it is difficult to construct non-flow-based rules that catch this exploit. Using the flowbits keyword, you can cflowbitonstruct a series of rules that track whether the user is logged into the IMAP server and, if so, generate an event if one of the attacks is detected. If the user is not logged in, the attack cannot exploit the vulnerability and no event is generated.

The two rule fragments that follow illustrate this example. The first rule fragment looks for an IMAP login confirmation from the IMAP server: 


alert tcp any 143 -> any any (msg:"IMAP login"; content:"OK

LOGIN"; flowbits:set,logged_in; flowbits:noalert;)

The following diagram illustrates the effect of the flowbits keyword in the preceding rule fragment:

Diagram illustrating how rules with application metadata are applied. If the host has no application information, there is no application traffic, or the rule contains no application metadata, the rule is applied if active and there is a matching port. Otherwise, the rule is applied if active and there is mathcing host application information.

Note that flowbits:set sets a state of logged_in, while flowbits:noalert suppresses the alert because you are likely to see many innocuous login sessions on an IMAP server.

The next rule fragment looks for a LIST string, but does not generate an event unless the logged_in state has been set as a result of some previous packet in the session: 


alert tcp any any -> any 143 (msg:"IMAP LIST";

content:"LIST"; flowbits:isset,logged_in;)

The following diagram illustrates the effect of the flowbits keyword in the preceding rule fragment:

Diagram illustrating how rules with application metadata are applied. If the host has no application information, there is no application traffic, or the rule contains no application metadata, the rule is applied if active and there is a matching port. Otherwise, the rule is applied if active and there is mathcing host application information.

In this case, if a previous packet has caused a rule containing the first fragment to trigger, then a rule containing the second fragment triggers and generates an event.