For flowbits in @snort 🐷, order matters:
In Suricata, flowbits:isset is checked after the fast pattern match but before other content matches.
In Snort, flowbits:isset is checked in the order it appears in the rule, from left to right.
Source: suricata.readthedocs.io/en/latest/rule…
@snort I really like using flowbits for exploitation attempts & responses.
I started doing this when tackling those massive #Struts vulns. And today we explained how to use them for CVE-2019-19781: fireeye.com/blog/products-…
@snort @_bromiley POP QUIZ: what does this do?
𝗱𝗶𝘀𝘁𝗮𝗻𝗰𝗲:-𝟭;
To see it in action, see our blog post: fireeye.com/blog/products-… (source of screenshot)
The next tweet has the answer.
This is distance, @snort's content keyword modifier for how many bytes to begin looking after the previous content match.
I first saw negative distance years ago in my teammate @reesespcres's rules.
Here's a helpful @TalosSecurity blog from 2012 with more: blog.talosintelligence.com/2012/09/using-…
@snort @reesespcres @TalosSecurity Ok if we're going to go all the way back and you somehow haven't read @JoelEsler's 2010 blog on offset + depth and distance + within ... please do so now: blog.joelesler.net/2010/03/offset…
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.