Rules to check if threshold has not been met at the end of a flow

Hi everyone,

i am new to Suricata and not sure if what i am imagining is feasible.

For my thesis i am trying to generate IDS rules which check for the lower and upper limits of traffic features. A simple example would be “this host receives between 10-300 packets per flow”.

I am successfully checking for the upper limits with thresholds and flowints, but is there any way to check for the lower limits? Like having a flowbits flag and only checking it on connection teardown?

I guess this is possible with lua scripts, but is there another way? I am not familiar with lua confident in learning it in time.

I am using the ids-dataset CIC-IDS2017, generating the rules from the labeled traffic, and testing them with the pcap files.

Working with V 7.0.2 installed with apt on a Kali-linux vm.

Any kind of help is appreciated, even a “that can not be done”, to show my professor, would at least allow me to call it quits and focus on what can be done.

Maybe you can use the keywords like flow.pkts_toclient ?

Not sure if they exist in 7.0.2 or if you need latest git master though

Like flow.pkts_toclient:10-300

Hi Philippe,

I have tried flow.packtes_toclient before i noticed that it is only implemented in V 8.0.0.

But that would only work for the number of packets rule specifically, another example i would like to implement would be “In every flow a minimum of X ack flags is set”.

I could probably count ack flags in a flowint and then compare once i find a fin/ack, but what if an attacker does not send fin/ack?

Being checking flowints when terminating through, timeout, fin->fin/ack, etc. (does rst count?) is the only thing i can think of that works in every case.

Thank you very much for helping :smiley:
-T0llsk1