alert tcp any any ->any any (msg:“test”; flow:established,to_client; stream_size:server,<,280; sid:123456;)
how to compare the stream_size value to pcap stream or packet ?
the Official website guide book about the keyword is vague,could you please tell me how to use in detail contrast the pcap file ? stream_size test.pcap (3.4 KB)
alert tcp any any ->any any (msg:“test2”; flow:established,to_client; stream_size:server,=,250; sid:1234567;)
the rule can make an alert, Does it match the relative serial number?
stream_size is an option to match the amount of stream bytes. As you can see, you can also use the Next Seq number or ‘Seq + Len’ value.
The behavior of the keyword is matched by subtracting the ISN from the next seq in each direction of the session (to_server, to_client).
because the rule ‘alert tcp any any → any any (msg:“test2”; flow:established,to_client; stream_size:server,=,250; sid:1234567;)’ make 2 alerts, and the picture above is one of the alert packet .
In wireshark, the LEN is not included because the sequence number represents the seq. To detect frame 17, the value 284 should be used. ISN is the Initial Sequence Number. Since sequence numbers are randomly generated in TCP, the ISN must be checked to identify the actually accumulated sequence.
And I want to know about what’s the difference between ‘flow:established,to_client; stream_size:server,<,284;’ and ‘flow:established,to_server; stream_size:server,<,284;’ ?
if the direction can impact the perpormance ?
There is a difference in packet detection according to to_client/to_server. Assuming “stream_size:server,=,284” for comparison, frame 17 is detected when to_client is used. The reason is that the cumulative sequence of the server at the time corresponding to frame 17 is 284. On the other hand, if to_server is used, frame 18 is detected. In TCP, ACK indicates the peer’s Seq. Therefore, in frame 18, the sequence 284 of the server is marked as ACK. Frame 18 is detected because directionality is used as to_server.
Using directionality rather than not using directionality may be clearer in detection. However, it is difficult to just assume that the performance is affected by the difference according to the two directions. This is because the performance impact is mainly considered by specifying a distinct string such as fast_pattern(MPM).