Use of flowbits in snort rules



I am trying to write snort rule that includes flowbits. Idea is that the alert is not raised upon first reception of the packet, but only if packet is received twice (raise alert upon reception of the second packet only). I do not find clear indications how using flowbits in this case. I have found a rule that seems to do that job in /etc/snort/rules/web-client.rules (see below), but I am not very clear how it really works.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2659; rev:4;)

Any explanation of the previous rule and idea is welcome. Thanks

Continue reading...