Chaining of Alerts (rule dependency)

theSkyo · September 23, 2020, 8:23pm

Dear Suricata community,

is it possible to create a rule Y which will only match if rule X was previously triggered by a specific source?

Simple example:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"HIGH TTL"; flags:S,12; ttl:>199; sid:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOW TTL";  flags:S,12; ttl:<200; sid:2;)

How do I find sources, which send a HIGH TTL SYN (first rule) and then within 10 seconds a LOW TTL SYN (second rule)? Please note that such SYNs might originate from different source ports, i.e., are not part of the same flow which is identified by the 5-tuple.

Any pointers are appreciated. Thank you!

syoc · September 25, 2020, 7:38am

Hi! Sounds like a job for xbits https://suricata.readthedocs.io/en/latest/rules/xbits.html

xbits:set,high_ttl,track ip_src, expire 10s; in the first rule and check the xbit in the second rule.

Topic		Replies	Views
Outbound traffic Rules	1	809	October 28, 2021
Setting flowbits for AND logic on same packet Rules	13	2505	November 24, 2020
Understanding packets and log records Rules suricata	0	415	January 3, 2023
Can't trigger custom rules Help	3	999	February 4, 2022
Only getting alerts if $home_net and $external_net are set to "any" Help	1	1546	October 14, 2020

Chaining of Alerts (rule dependency)

Related topics