Is there a way to alert on bytes_toserver > N or pkts_toserver exceeding a certain value?
I tried to use this rule…
alert tcp $HOME_NET any -> $EXTERNAL_NET any (stream_size:either, >, 5000; sid:1;
threshold: type limit, track by_src, count 1, seconds 300;)
…hoping that bytes_toserver > 5000 would trigger every 5 minutes, but it doesn’t seem to work as I thought using version 6 on windows.
This is related in a way to this issue. https://redmine.openinfosecfoundation.org/issues/2301
The goal here is to have some data to key off of as soon as possible and not hours later when the flow event_type data is appended to the eve.json file.
I am combining this data with Windows process information. If chrome has a lot of incoming traffic, then it will have a good bit of outgoing traffic. But other utility binaries, in theory, should rarely exceed a certain amount of bytes_toserver or pkts_toserver. Of course this would need to be tuned.
If this doesn’t already exist, I could use some guidance to understand what files would need to be modified to add this type of rule processing.