Long session detection

Is it possible to detect long sessions with Alert rules?
For Example:

  1. Alert established sessions with more than 1 hours activity.
  2. Alert established sessions with more than 100 packets.

For example 2 have a look at the flowint keyword.
You could have one rule incrementing a flowint for each packet and another rule alerting if the flowint is > 100.

For example 1 there might be some combination of flowbits and threshold that could do it, but I’m not seeing it. Your use case is not playing to the strengths of Suricata and the rule language.

1 Like

I’m not very familiar with flowints, but this is how I think it works.
Your rule will never actually increment the int counter because the second flowint keyword never evaluates to true.
One rule with alert tcp any any -> any 3389 [..] flowint: rdppkt, +, 1, noalert; [..] and another with flowint: rdppkt, >, 50; might do the trick.

The first rule increments the counter but never alerts, the second checks the counter and alerts when the condition is reached. Note that you will get an alert for each packet after packet number 50 from the client to the server in each flow. You are also only counting packets from the client to the server, not total packets in the flow.

1 Like