Alert on bytes_toserver > N or pkts_toserver > N

Is there a way to alert on bytes_toserver > N or pkts_toserver exceeding a certain value?

I tried to use this rule…
alert tcp $HOME_NET any -> $EXTERNAL_NET any (stream_size:either, >, 5000; sid:1;
threshold: type limit, track by_src, count 1, seconds 300;)

…hoping that bytes_toserver > 5000 would trigger every 5 minutes, but it doesn’t seem to work as I thought using version 6 on windows.

This is related in a way to this issue. https://redmine.openinfosecfoundation.org/issues/2301
The goal here is to have some data to key off of as soon as possible and not hours later when the flow event_type data is appended to the eve.json file.

I am combining this data with Windows process information. If chrome has a lot of incoming traffic, then it will have a good bit of outgoing traffic. But other utility binaries, in theory, should rarely exceed a certain amount of bytes_toserver or pkts_toserver. Of course this would need to be tuned.

If this doesn’t already exist, I could use some guidance to understand what files would need to be modified to add this type of rule processing.

Hi,

Thanks for posting your question!

Please clarify what “it doesn’t seem to work as I thought”.

Is it alerting?

Alerting once but never again?

I am testing this by downloading 3 to 5 GB files. The event_type flow is showing large bytes_toserver and pkts_toserver. This is expected, a large download has a lot of traffic in both directions. But this data is only available when the connection is closed / timed out.

I have tested over 30 times over several hours and the alert fired about 5% of the time. This is either because I am misunderstanding what stream_size > 5000 means or there is a bug in how this is calculated.

Can anyone clarify the relation between bytes_toserver and the stream_size alert keyword? I am hoping to be able to identify all sorts of egress traffic (shells!) that exceed a certain threshold.

Is stream_size something that could be significantly lower than bytes_toserver / toclient because of some difference in the code logic?

Every 5 minutes for new flows or would you expect it for the same flow to happen again?

Sorry that was unclear. I am looking for new flows related to big downloads from different websites, ubuntu, debian, digital ocean speed tests, etc. Can you point me to the source code where stream_size is calculated? I am thinking of adding some print statements to better understand how that keyword keeps track of bytes.

You can also achieve that by a search in ES/Kibana for example on

‘“event_type”:“flow”’

flow.bytes_toclient:>500000 OR flow.bytes_toserver:>500000

The implementation for stream_size is in src/detect-stream_size.c

DetectStreamSizeMatch determines if there’s a match using the TCP session values (sequence numbers).

A consequence of looking at sequence numbers is that it won’t work for anything > 4GiB because sequence numbers are 32bit and wrap around. It’s quite possible that you’ll encounter issues much earlier.

I think it would be much nicer to have keywords that use the Flow's packet and byte counters.

1 Like

Victor,
I want to make sure I understand. As far as I know, today there are no alert keywords for packet FLOW byte counters. Are you saying that this is a feature you would like added to Suricata? The struggle I have with event_type flow is the data is not made available until the end of the flow. So based on my naive understanding, alert keywords for packet FLOW byte counters would be a huge improvement for faster detection.

Yeah, related to:
https://redmine.openinfosecfoundation.org/issues/3271
https://redmine.openinfosecfoundation.org/issues/2319

2 Likes

Besides, creating detect_flow_size.c and detect_flow_size.h, would I need to add or modify any other files? It seems like the code would be similar to detect_stream_size.c but instead of using
ssn->server.next_seq - ssn->server.isn
and
ssn->client.next_seq - ssn->client.isn
I would use
f->todstbytecnt
and
f->tosrcbytecnt

Does using detect_stream_size.c as a template for the new file detect_flow_size.c make sense? I am not sure if I need to modify anything else beside that.

Got the alert working.

Files modified are
src/detect-engine-register.h
src/detect-engine-register.c
src/Makefile.am

New Files
detect_flow_size.c and detect_flow_size.h

For those interested in how Suricata can now be used as an agent running on windows with the new bytes_toserver flow alert, I made a 3 minute video where I “attack” the hack the box machine called Jerry using metasploit. In the video you will see that an alert displays as soon as the meterpreter connection touches the server.
The Suricata alert triggers some custom code that will pull additional host information.

Great to see progress! Are you interested in contributing the keyword back?

Btw it seems the code you used to work of is not very modern, we’re slowly overhauling the keywords to be cleaner and faster too.

Of course. I will fork the suricata repo on github later this week and make my changes there.

3 Likes